Skip to content

increase Windows password complexity#175

Merged
dexyk merged 2 commits intorenderedtext:masterfrom
cchristous:windows-user-data
Oct 22, 2025
Merged

increase Windows password complexity#175
dexyk merged 2 commits intorenderedtext:masterfrom
cchristous:windows-user-data

Conversation

@cchristous
Copy link
Copy Markdown
Contributor

@cchristous cchristous commented Jul 24, 2025

Change Description

This drastically increases the complexity of the password used for the semaphore user creation during Windows userdata execution.

I saw 2 occurrences of errors in the existing logic:

Fetching info from IMDS...
Fetching agent params...
Creating 'semaphore' user...
New-LocalUser : Unable to update the password. The value provided for the new password does not meet the length,
complexity, or history requirements of the domain.
At C:\semaphore-agent\start.ps1:146 char:1
+ New-LocalUser -Name $UserName -PasswordNeverExpires -Password $Passwo ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [New-LocalUser], InvalidPasswordException
    + FullyQualifiedErrorId : InvalidPassword,Microsoft.PowerShell.Commands.NewLocalUserCommand

What I've found is

In Windows Server 2019, local user password requirements can be configured using Group Policy or the Local Security Policy Editor. By default, passwords must be at least six characters long and contain characters from at least three of the following four categories: uppercase letters, lowercase letters, numbers, and non-alphabetic characters. The system also prevents passwords from containing the user's account name or parts of their full name

For Windows Server 2019 local users, the maximum password length for user-initiated changes in the logon interface is 127 characters. This is due to a limitation in the Windows logon dialog box itself.

My belief is that the current logic can sometimes not include 3 of "uppercase letters, lowercase letters, numbers, and non-alphabetic characters". By dramatically increasing the length and forcing the password to contain a symbol, I am hoping that this issue won't happen anymore.

I originally made this change back on Jun 5 to our internal copy of this file. We haven't seen an issue with a Windows agent EC2 instance starting up since.

@lucaspin
Copy link
Copy Markdown
Contributor

lucaspin commented Jul 25, 2025

/sem-approve

1 similar comment
@lucaspin
Copy link
Copy Markdown
Contributor

lucaspin commented Aug 13, 2025

/sem-approve

@radwo
Copy link
Copy Markdown
Member

radwo commented Aug 26, 2025

/sem-approve

@dexyk
Copy link
Copy Markdown
Contributor

dexyk commented Oct 17, 2025

Hey @cchristous, could you please rebase your branch on the latest master? We’ve fixed the cache and security toolbox issues that were causing fork PR workflows to fail. Thanks for your patience!

@cchristous
Copy link
Copy Markdown
Contributor Author

cchristous commented Oct 17, 2025

Hey @cchristous, could you please rebase your branch on the latest master? We’ve fixed the cache and security toolbox issues that were causing fork PR workflows to fail. Thanks for your patience!

Done

@radwo
Copy link
Copy Markdown
Member

radwo commented Oct 18, 2025

/sem-approve

@dexyk dexyk requested a review from DamjanBecirovic October 20, 2025 13:09
@dexyk dexyk merged commit 076fbdc into renderedtext:master Oct 22, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DamjanBecirovic DamjanBecirovic DamjanBecirovic approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@cchristous @lucaspin @radwo @dexyk @DamjanBecirovic