Alphanumeric Password Requirement

 

Supported On:

Setting Label

Exchange Server 2010/2007

 

Exchange Server 2003

  (Minimum complex characters is 3)

 

The Require alphanumeric password (2010/2007) and Require both numbers and letters (2003) settings specify whether or not the device password should consist of letters, numbers, and special characters.  When enabled, the device client is required to use a “Strong Alphanumeric” password, which consists of lowercase letters, uppercase letters, numerals, and special characters (@, #, &, etc.). Collectively, these four character types are known as complex characters.

Exchange Server 2010/2007 has a Minimum number of complex characters setting which allows you to choose the number of each type of complex character which must exist in an alphanumeric device password.  For example, if the minimum complex character requirement is two (2), the user will be required to create a password containing at least two (2) lowercase letters, at least two (2) uppercase letters, at least two (2) numerals, and at least two (2) special characters.

Exchange Server 2003 enforces a minimum complex character requirement of three (3). This means that the user will be required to create a password containing at least three (3) lowercase letters, at least three (3) uppercase letters, at least three (3) numerals, and at least three (3) special characters.

 

The one exception to this rule is in the case of when the minimum password length is less than the minimum complex character requirement multiplied by the number of complex character types. In this case, the user need only create a password with an even distribution of the complex character types that meets the minimum length.

For example, if a minimum complex character requirement of three (3) is enforced, the password will need to be at least twelve (12) characters long (3 complex characters * 4 complex character types). However, if the minimum password length is nine (9), then the user need only enter a nine-character password containing an even distribution of the complex character types. The following complex character combinations would be considered valid in this scenario:

      3 lowercase letters, 2 uppercase letters, 2 numerals, 2 special symbols

      2 lowercase letters, 3 uppercase letters, 2 numerals, 2 special symbols

      2 lowercase letters, 2 uppercase letters, 3 numerals, 2 special symbols

      2 lowercase letters, 2 uppercase letters, 2 numerals, 3 special symbols

 

The following complex character combinations would be considered invalid in this scenario, as the character types are unevenly distributed:

      1 lowercase letter, 3 uppercase letters, 3 numerals, 2 special symbols

      5 lowercase letters, 0 uppercase letters, 2 numerals, 2 special symbols

      1 lowercase letter, 1 uppercase letter, 1 numeral, 6 special symbols

 

To further illustrate this concept, the following table provides examples of valid passwords given a minimum complex character requirement and minimum password length:

Alphanumeric Password Examples

Min. Length

Min. Comp. Chars.

Valid Password Examples

5

2

aA1!b , 7%o$Y , 12aB# , @1AbC

10

2

aA1!bB2@cc , aaAA11!!23 , j0%73bY@Qk

15

2

aA1!bB2@ccccccc , 1111111a!A1b@B2 , aaAA11!!123abc?

15

3

aA1!bB2@cC3#ddd , abcABC123!@#efg

 

Notice that if the minimum length exceeds the complex character requirement multiplied by the number of complex character types, the password may contain any sequence of characters in any order regardless of repetition as long as the requirement rule is met.