AD password policy

Posted on 2013-10-30
Medium Priority
Last Modified: 2013-11-07
Are there any recommended best practices when it comes to domain password policies? Have MS recommended any specific levels for low, medium, high securityu domains? One of our partners have currently set it at 7 characters lenght minimum, 90 day maximum age, and no complexity requirement, which to me seems on the weak side. I wondered if theres any guidance in this area?
Question by:pma111

Assisted Solution

JeanPoL earned 336 total points
ID: 39611104
Hi there ,

As a IT guys of bank and my experiences (IT Audits, penetrations test and many others) I would suggest to go like this :

- Minimum 8 char.
- Strong Password
- 42 Days maximum age
- 0 days minimum
- Enforce password history : 5 passwords remembered

* with this setup , you can get ok from all it security standards

Author Comment

ID: 39611107
Does strong password = enforce complexity?

Expert Comment

ID: 39611121
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

LVL 59

Accepted Solution

McKnife earned 336 total points
ID: 39611569

> you can get ok from all it security standards
Sorry JeanPol, but what should that mean? The windows complexity requirements are not really strict, so I wonder which sec. standards you would fulfill.

I strongly recommend using a 3rd party tool that does not only have better complexity enforcement, but, much more important, does also dictionary checks.
I recommend Anixis password policy enforcer.

With windows' own complexity requirements, a password like
JeanPol1 would be called complex. Also McKnife1 would be complex and 1DogBarks would be called complex although they not really are.
LVL 24

Assisted Solution

Sandeshdubey earned 332 total points
ID: 39612165
Enforcing Strong Password Usage Throughout Your Organization
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 332 total points
ID: 39615690
Anything below 10 characters is too low, complexity or not:
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours (all possible 8 character passwords)
Also, changing passwords often is not as needed as it once was, unless your password length is lower, or the password is more sensitive https://www.schneier.com/blog/archives/2010/11/changing_passwo.html
Document fom a M$ researcher says the same

I do pentests, passwords are the second weakest link in every domain I've been on. Length and not using dictionary words are what keep passwords from being cracked. Complexity doesn't help as much as you think it does, in fact if you have 4 items required in a 8 character password, you're hurting your security. Uppercase, Lowercase number and a special character, you've reduced the possible passwords by half.

If you increase that to 9 and use the four possible classes, it's 10% better. You should only require letters, numbers and specials, and you should put the minimum length at 10 or more. If you can get a 3rd party to vet the passwords for easy dictionary words, you should. And you should use the "rockyou.txt" file as the basis for what the users shouldn't be allowed to use :)

Assisted Solution

Biniek earned 332 total points
ID: 39618774
Hi ,

Microsoft had published security recommendation in SCM (Security Compliance Manager)

You can download and install it, in this tool You can find all recommended security settings (of course password settings also) by Microsoft in templates, You can export as GPO backup and implement it in Your organization.

In this tool you can find recommendation, for all servers system, windows workstations, Office's , SQL, Exchange etc.

In this tool you can find also Security guides for Microsoft products and systems, all information about vulnerability, and how to mitigate it.  

I will recommend to use it.

Assisted Solution

daniel0 earned 332 total points
ID: 39629934
Many Articles are been stragised for this and moreover many of the applications are been finalised for the same.

The process of rolling out a much needed, updated password policy. “Password Policies can be debated for hours” describes exactly what we are going through with our new roll-out.

Have a look at this documentation

Different passwords for each program/loginAll passwords need to meet complexity requirements:

Minimum 8 characters

3 out of 4 of the following required – Upper or Lower case, Numeric, Symbols

Not a word found in a dictionary, language, slang, etc

Not based on personal info

Not written down or stored locally

Forced changed at least quarterly

Can not reuse last 10 passwords

All of this is forced where possible. We have a few programs that don’t enforce history or complexity. For those, we randomly audit.

No biometrics yet, I haven’t seen it to be reliable enough in the laptops I’ve tried.

It’s amazing to me how many users don’t understand why they need a secure password, let alone are forced to change it.

An application also for the same to know much more better.

Please click on the given link for the same.
LVL 38

Expert Comment

by:Rich Rumble
ID: 39630025
Nothing wrong with a written password, I have them, just keep them safe on your person like in a wallet. A written, complex password you don't have to change, as long as you trust it's security. A weak password, one found in the dictionary or easily found using substitution you do have to change, this is the case for most users. That's why 90 days was established, it's how long brute force of password used to take on windows to find every possible combination for an 8 character password. That's less than 6 hours now, increase to 9 and it's around 20 days, increase to 10 and it's about 1 year. Remember that's bruteforce, there are much faster ways to find passwords typically.

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
I’m willing to make a bet that your organization stores sensitive data in your Windows File Servers; files and folders that you really don’t want making it into the wrong hands.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question