Password Uniqueness May Not Account for Case Sensitivity

• Microsoft Windows NT Workstation versions 3.5, 3.51, 4.0
• Microsoft Windows NT Server versions 3.5, 3.51, 4.0

SYMPTOMS

If the Account Policy for a domain requires a unique password and you try to change your password on a client computer that has support for case sensitive passwords, changes in case may not count as a unique password.

MORE INFORMATION

When a Windows NT-based computer negotiates a session with a Windows NT-based domain controller, it sets flags that show that it can support case-sensitive passwords. This means there is case distinction of passwords, for example, you can change your password from "password" to "PassWord".

Down-level clients (such as Microsoft Windows for Workgroups and Microsoft Windows 95) do not support case-sensitive passwords. Because of this, when a password is set on the domain, two copies of it are stored. If the password is set from a down-level client, both passwords stored are the same. However, if the password is set by a client with support for case-sensitive passwords, the case-specific password is stored along with a case-insensitive password. By doing so, you can set a case-sensitive password and still be able to logon from a down-level client.

When password uniqueness is checked, it compares the password it is given to the case-insensitive password. This limits you to actual character changes when you make a unique password.

STATUS

Microsoft has confirmed this to be a limitation in Windows NT.

Keywords : kbenv ntdomain winnt
Version : 3.11 95 4.0 3.51
Platform : winnt
Issue type : kbprb