Windows 2008 R2 complex password requirements - changing

Upper management at our company is not happy with the passwords that users are coming up with/using. It is not secure enough even with password complexity enabled.

The password complexity settings in MS, is a hit or miss when getting users to create a secure password

Contain characters from three of the following four categories:

    English uppercase characters (A through Z)
    English lowercase characters (a through z)
    Base 10 digits (0 through 9)
    Non-alphabetic characters (for example, !, $, #, %)
    Complexity requirements are enforced when passwords are changed or created.

We have users doing enough to meet the first 3 requirement 90% of the time. We like to force the first 4 requirement but by default there is no way to do that. So we wondering if there Is any way to do this at all? Via Schema, via 3 party app, and etc?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

There's no built-in way, yet.
Look at anixis' Password policy enforcer:
It can do all that and more. it is easy to administer and reasonably priced in my opinion.
Walter PadrónCommented:
In my experience this kind of password complexity leads to users writing passwords on sticky notes and attaching them to the monitor. Maybe you should use  a second authentication method such as a smart-card, biometrics, etc. An increased security cost a lot more.

Best regards
iamuserAuthor Commented:
It's not my call. Upper management wants this for all users. We have explained it many times over that users are not prone to remember their passwords and that it'll be on post it notes.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Walter PadrónCommented:
You can use a third-party solution or you can create your own password filter.
Here is sample code

Best regards
iamuserAuthor Commented:
In order to filter passwords for domain users, you should use the "Domain Security Policy" console on domain controller machine and install there your password filter

Right now we are using Fine grain password policy. We don't want 1 password policy for everyone. Can this work with Fine grain password policy?
Walter PadrónCommented:
If you have control over your passwords via a password filter i guess you don't need Fine grain policy anymore because you will and need to enforce your password policy in your filter.

A word of caution, security code is hard to implement and to implement well, so for me this is a last resort.

Best regards

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
iamuserAuthor Commented:
The issue is we don't want this to apply to any accounts that we use for services. If we use this then all accounts will be affected including our services account.
iamuser, if I were you, I would be extremely careful with self made solutions. The link says it's for winNT/2000/xp, while in the article, server 2003 is mentioned. I was in the same position as you once and tried to implement such a dll, made by Stanford university. I tried to implement it on server 2008. result: no passwords at all were accepted anymore, no matter how complex. After uninstalling the DLL, the problem persisted, the domain (a virtual test lab) was broken, no password changes possible any more!

So you have been warned :)
The anixis PPE empowers you to use as many policies as you like.

but to answer your question: no, I don't think it would be compatible with fine grained password policies as those use the complexity settings of the domain, so it would be one for all.
iamuserAuthor Commented:
AH, okay, the ANIXIS PPE will allow me to have difference policies for different groups of users.
Walter PadrónCommented:
As i said before a self security solution can be more insecure than a not-so complex password and @McKnife warned you of this too.  With a third-party solution you have another kind of problem yo have TO TRUST the third-party for password management and under some IT policies this is not allowed. There is no one solution that fits all.

Best regards
Rich RumbleSecurity SamuraiCommented:
Have a look at my articles here: and here:
The TLDR; version= Microsoft passwords, if audited in an offline manner, are fast and easy to crack when they are less than 10 characters long. While using Digits, Specials and Upper/Lower does add entropy technically, it often ends up just as substituion where e=3 and o=0 etc... That doesn't add entropy against a modern password audit. Length is what it will boil down to creating a harder password to crack, but not necessarily for a user to remember. I audit passwords and everywhere I go, unless your length is 10 or more, I'll get them, and quickly. I'm not using rainbow-tables, I can exhaust the 8 character space in less than 24 hours (ty to intel's Xeon Phi).
I advise clients to use 15, as this assures the users aren't going to use one word, especially if you train them BEFORE the change that they should do something like in my first link. After that, auditing the passwords is much harder. That is not to say that a user has a "very strong" password, it could be rubbish... Rubbish12121212 that's 15 characters, but that is not a password I can foresee my rules perhaps missing that. Anything 8-9 in length, even unprintable characters (alt+255) I'll get in a reasonable amount of time, 48hrs is what I give each audit.
iamuserAuthor Commented:
I'm stuck between a rock and a hard place. I'll bring it up at my meeting with management and see where they want to go. They seem to believe that they know more. God....I hate paper pushers
Rich RumbleSecurity SamuraiCommented:
Having a short password (length=8) and requiring all 4 classes (upper, lower, digit, and special) will HURT the password's entropy! If more than 8 it's not as bad, but still has some degradation. Increasing the minimum length helps in all cases.

From my article: If you require all four possible generic polices, at least one digit,  one upper, one lower and one special, and the minimum length is eight, you've reduced the guessing by over half. Instead of 6,704,780,954,517,120 possible it's reduced to 3,025,989,069,143,040 , which is a 55% reduction when the password is only 8 characters long. The attacker will get your passwords that are 8 characters in half the time, if all things were equal. [Effect of password policies on keyspace reduction]
Ok, these details are on password security. There are different approaches to create a safe password and there are different approaches to enforce safe passwords. At the same time one has to know how attacks could be carried out, because without holding something to attack, it's all irrelevant if strong or weak.

In a discussion I had with pentesters that are certified by the german government, they said they would use the following strategy: Length 15 or more (they themselves used 20) and construct a password this way:
Take three words that stand in no logical connection (screw, horse, picture), damage them a little (or use local dialect) and put some special characters and/or numbers in between, result:
This is long (20), easy to remember and fast to type. That is their recommended strategy. I started to argue: what if the attacker knows that this is the recommended company pw policy? What if, after all, people are not so creative and mostly just select all-too-common words like mother/house/tele/book/dog/lamp/xbox/iPhone/...? Wouldn't it be possible to construct a very sophisticated dictionary attack? I think it would. And since we cannot prevent dictionary words with windows' own means, many will end up like
So I really recommend to use a software that does dictionary and similarity checks. Because once a shoulder-surfer-type attacker sees "Moon2dogs,howling!!!" typed once or twice, he has it. And maybe from then on, that user will go on like this and his next password would be
... :|
Rich RumbleSecurity SamuraiCommented:
All good points, and this is possible, have a look at hashcat's combinator attack:
Straight-up dictionary words are not helping, but the length of all of them is, and leet'ing them doesn't add much either (e=3 and so on).. but like I lay out in my articles, using words that are broken or out of place makes this harder: kant-dew-that-2-mi
But based on length alone, Moon2dogs,howling!!! is actually an excellent password. Having a big list of words, doesn't give them context, so moon, dogs and howling would have to simply "come up" in the attempt, and would not necessarily be quick to find, there are no weighting that I'm aware of to words that may occur close to one another. A computer doesn't know that moon, dogs and howling are associated with one another. There will be soon, but as of now, I don't know of such work being done by the hacking community.
iamuserAuthor Commented:
awesomee guys
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
OS Security

From novice to tech pro — start learning today.