AD password policy

Posted on 2013-10-30
Last Modified: 2013-11-07
Are there any recommended best practices when it comes to domain password policies? Have MS recommended any specific levels for low, medium, high securityu domains? One of our partners have currently set it at 7 characters lenght minimum, 90 day maximum age, and no complexity requirement, which to me seems on the weak side. I wondered if theres any guidance in this area?
Question by:pma111

Assisted Solution

JeanPoL earned 84 total points
Comment Utility
Hi there ,

As a IT guys of bank and my experiences (IT Audits, penetrations test and many others) I would suggest to go like this :

- Minimum 8 char.
- Strong Password
- 42 Days maximum age
- 0 days minimum
- Enforce password history : 5 passwords remembered

* with this setup , you can get ok from all it security standards

Author Comment

Comment Utility
Does strong password = enforce complexity?

Expert Comment

Comment Utility
LVL 53

Accepted Solution

McKnife earned 84 total points
Comment Utility

> you can get ok from all it security standards
Sorry JeanPol, but what should that mean? The windows complexity requirements are not really strict, so I wonder which sec. standards you would fulfill.

I strongly recommend using a 3rd party tool that does not only have better complexity enforcement, but, much more important, does also dictionary checks.
I recommend Anixis password policy enforcer.

With windows' own complexity requirements, a password like
JeanPol1 would be called complex. Also McKnife1 would be complex and 1DogBarks would be called complex although they not really are.
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

LVL 24

Assisted Solution

Sandeshdubey earned 83 total points
Comment Utility
Enforcing Strong Password Usage Throughout Your Organization
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 83 total points
Comment Utility
Anything below 10 characters is too low, complexity or not: (all possible 8 character passwords)
Also, changing passwords often is not as needed as it once was, unless your password length is lower, or the password is more sensitive
Document fom a M$ researcher says the same

I do pentests, passwords are the second weakest link in every domain I've been on. Length and not using dictionary words are what keep passwords from being cracked. Complexity doesn't help as much as you think it does, in fact if you have 4 items required in a 8 character password, you're hurting your security. Uppercase, Lowercase number and a special character, you've reduced the possible passwords by half.

If you increase that to 9 and use the four possible classes, it's 10% better. You should only require letters, numbers and specials, and you should put the minimum length at 10 or more. If you can get a 3rd party to vet the passwords for easy dictionary words, you should. And you should use the "rockyou.txt" file as the basis for what the users shouldn't be allowed to use :)

Assisted Solution

Biniek earned 83 total points
Comment Utility
Hi ,

Microsoft had published security recommendation in SCM (Security Compliance Manager)

You can download and install it, in this tool You can find all recommended security settings (of course password settings also) by Microsoft in templates, You can export as GPO backup and implement it in Your organization.

In this tool you can find recommendation, for all servers system, windows workstations, Office's , SQL, Exchange etc.

In this tool you can find also Security guides for Microsoft products and systems, all information about vulnerability, and how to mitigate it.  

I will recommend to use it.

Assisted Solution

daniel0 earned 83 total points
Comment Utility
Many Articles are been stragised for this and moreover many of the applications are been finalised for the same.

The process of rolling out a much needed, updated password policy. “Password Policies can be debated for hours” describes exactly what we are going through with our new roll-out.

Have a look at this documentation

Different passwords for each program/loginAll passwords need to meet complexity requirements:

Minimum 8 characters

3 out of 4 of the following required – Upper or Lower case, Numeric, Symbols

Not a word found in a dictionary, language, slang, etc

Not based on personal info

Not written down or stored locally

Forced changed at least quarterly

Can not reuse last 10 passwords

All of this is forced where possible. We have a few programs that don’t enforce history or complexity. For those, we randomly audit.

No biometrics yet, I haven’t seen it to be reliable enough in the laptops I’ve tried.

It’s amazing to me how many users don’t understand why they need a secure password, let alone are forced to change it.

An application also for the same to know much more better.

Please click on the given link for the same.
LVL 38

Expert Comment

by:Rich Rumble
Comment Utility
Nothing wrong with a written password, I have them, just keep them safe on your person like in a wallet. A written, complex password you don't have to change, as long as you trust it's security. A weak password, one found in the dictionary or easily found using substitution you do have to change, this is the case for most users. That's why 90 days was established, it's how long brute force of password used to take on windows to find every possible combination for an 8 character password. That's less than 6 hours now, increase to 9 and it's around 20 days, increase to 10 and it's about 1 year. Remember that's bruteforce, there are much faster ways to find passwords typically.

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now