• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 354
  • Last Modified:

AD password policy

Are there any recommended best practices when it comes to domain password policies? Have MS recommended any specific levels for low, medium, high securityu domains? One of our partners have currently set it at 7 characters lenght minimum, 90 day maximum age, and no complexity requirement, which to me seems on the weak side. I wondered if theres any guidance in this area?
6 Solutions
Hi there ,

As a IT guys of bank and my experiences (IT Audits, penetrations test and many others) I would suggest to go like this :

- Minimum 8 char.
- Strong Password
- 42 Days maximum age
- 0 days minimum
- Enforce password history : 5 passwords remembered

* with this setup , you can get ok from all it security standards
pma111Author Commented:
Does strong password = enforce complexity?
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!


> you can get ok from all it security standards
Sorry JeanPol, but what should that mean? The windows complexity requirements are not really strict, so I wonder which sec. standards you would fulfill.

I strongly recommend using a 3rd party tool that does not only have better complexity enforcement, but, much more important, does also dictionary checks.
I recommend Anixis password policy enforcer.

With windows' own complexity requirements, a password like
JeanPol1 would be called complex. Also McKnife1 would be complex and 1DogBarks would be called complex although they not really are.
SandeshdubeySenior Server EngineerCommented:
Enforcing Strong Password Usage Throughout Your Organization
Rich RumbleSecurity SamuraiCommented:
Anything below 10 characters is too low, complexity or not:
http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours (all possible 8 character passwords)
Also, changing passwords often is not as needed as it once was, unless your password length is lower, or the password is more sensitive https://www.schneier.com/blog/archives/2010/11/changing_passwo.html
Document fom a M$ researcher says the same

I do pentests, passwords are the second weakest link in every domain I've been on. Length and not using dictionary words are what keep passwords from being cracked. Complexity doesn't help as much as you think it does, in fact if you have 4 items required in a 8 character password, you're hurting your security. Uppercase, Lowercase number and a special character, you've reduced the possible passwords by half.

If you increase that to 9 and use the four possible classes, it's 10% better. You should only require letters, numbers and specials, and you should put the minimum length at 10 or more. If you can get a 3rd party to vet the passwords for easy dictionary words, you should. And you should use the "rockyou.txt" file as the basis for what the users shouldn't be allowed to use :)
Hi ,

Microsoft had published security recommendation in SCM (Security Compliance Manager)

You can download and install it, in this tool You can find all recommended security settings (of course password settings also) by Microsoft in templates, You can export as GPO backup and implement it in Your organization.

In this tool you can find recommendation, for all servers system, windows workstations, Office's , SQL, Exchange etc.

In this tool you can find also Security guides for Microsoft products and systems, all information about vulnerability, and how to mitigate it.  

I will recommend to use it.
Many Articles are been stragised for this and moreover many of the applications are been finalised for the same.

The process of rolling out a much needed, updated password policy. “Password Policies can be debated for hours” describes exactly what we are going through with our new roll-out.

Have a look at this documentation

Different passwords for each program/loginAll passwords need to meet complexity requirements:

Minimum 8 characters

3 out of 4 of the following required – Upper or Lower case, Numeric, Symbols

Not a word found in a dictionary, language, slang, etc

Not based on personal info

Not written down or stored locally

Forced changed at least quarterly

Can not reuse last 10 passwords

All of this is forced where possible. We have a few programs that don’t enforce history or complexity. For those, we randomly audit.

No biometrics yet, I haven’t seen it to be reliable enough in the laptops I’ve tried.

It’s amazing to me how many users don’t understand why they need a secure password, let alone are forced to change it.

An application also for the same to know much more better.

Please click on the given link for the same.
Rich RumbleSecurity SamuraiCommented:
Nothing wrong with a written password, I have them, just keep them safe on your person like in a wallet. A written, complex password you don't have to change, as long as you trust it's security. A weak password, one found in the dictionary or easily found using substitution you do have to change, this is the case for most users. That's why 90 days was established, it's how long brute force of password used to take on windows to find every possible combination for an 8 character password. That's less than 6 hours now, increase to 9 and it's around 20 days, increase to 10 and it's about 1 year. Remember that's bruteforce, there are much faster ways to find passwords typically.

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now