AD password complexity

gege Isgood
gege Isgood used Ask the Experts™
on
Hi,
I'm looking for a easy and free possibility to increase the ActiveDirectory password complexity.
In order to force :
- A minimum length
- Both upper and lower cases
- A letter in the first space
- Special characters
- Numbers
- No dictionary words, blacklisted words, or patterns that are easy to crack
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
There is no easy and free way for that, at least not any that I would risk to implement.

Please be aware of the following: dictionary checks and enhanced complexity checks are something different. It's hard to find a free solution that offers both. Also, the solution needs to be maintained and kept compatible to the evolving server OS (which is constantly patched), else, you might end up with a dead domain. Yes, dead as in "no further password changes are even possible".  I had exactly that some years ago when I searched for the same and implemented an open source password filter - it went wrong and the changes were irreversible. My lab domain was dead.

I would ask you to look at the pricing of some utilities like Anixis' PPE. It's not really much and it can do all of that.
NoahHardware Tester and Debugger

Commented:
Hi there! :)

You may try taking a look at this management service below. It should be able to cater to all of your requirementsrelated to password reset management and account lockout. Depending on the number of users, you may need the paid versions.

Reference: https://www.manageengine.com/products/self-service-password/index.html?cam=66537549&adgid=2543657709&kwd=active%20directory%20password&loc=9062512&ps_ca=66537549&ps_adg=2543657709&cam=66537549&adgid=2543657709&kwd=active%20directory%20password&matchtype=p&adid=115242850509&network=g&position=1t1&loc=9062512&placement=&gclid=EAIaIQobChMIkZjQr_CJ5gIVTIiPCh1DOwnjEAAYASAAEgKrgPD_BwE
Distinguished Expert 2018

Commented:
@Noah: he was there already. He quotes their wording from https://www.manageengine.com/products/self-service-password/password-policy-enforcer.html :-)

@gege Do you have more than 50 users? What's your budget for this?

Author

Commented:
no budget, over 1000 users
Distinguished Expert 2018

Commented:
"no budget"? Zero? With 1000 users? I am tempted to write "are you kidding?"...
For 1000 users, you would pay just 3,000 US$ once (maintenance not included) over at Anixis.

Ok, please wait and see which free solutions come up, but be warned that it is very risky to implement something here that has no paid support.
Brian BEE Topic Advisor, Independant Technology Professional

Commented:
If you are getting pressure to come with a way to better secure Active directory and they can be convinced to spend some money, the better choice might be two factor authentication (i.e. users must have a smart card and password to log on).
AmitIT Architect
Distinguished Expert 2017

Commented:
Use RSA token to increase the security.
End-user support
Commented:
@gege... Almost all your requirements can be set via Group Policy. Instead of random letters, numbers and symbols for passwords, consider having users make passphrases. See Diceware, for example. To meet Windows requirements, users can add number and special characters between each word.

The Diceware method is secure even if an attacker knows that you used Diceware to pick your passphrase, knows how many words are in your passphrase and knows the word list you used. The security of Diceware comes from the huge number of combinations that an attacker must search through, even with that knowledge . The Diceware word list contains 7776 words, so if you pick a five-word passphrase, there are 7776 x 7776 x 7776 x 7776 x 7776 combinations. That is over 2**64 (2 to the 64 power or 2.6 x 10**19) possibilities. A six word Diceware passphrase confronts an attacker with 2**77 (2 x 10**23) combinations; seven words 2**90 (1.5 x 10**27).
Harper McDonaldSr. Cloud Support Engineer

Commented:
Group Policy
Ron MalmsteadInformation Services Manager

Commented:
The main problem with password high complexity is that users forget their pw on a daily basis.  Or worse, they write it on a sticky note and put it under their keyboard.

I usually advise the windows built in options, with a shorter password expiration date period, rather than third party software to increase complexity...for those reasons.

A password should be secret (known only to the user)
A password should be easy enough to remember (so they don’t write it down), but complex enough to make it extremely difficult to guess (something personal to the user that only they would know)

Given enough TIME, and computing power, any pw can be guessed.  So if it takes a super computer 5 months to guess MyMomIsANinja2015... then the pw expiration period of 45 days, just turned a super computer into a toaster oven.

This strategy combined with educating your users, I’ve found, to be the most logical approach.

Remember that the employees themselves are the biggest security risk.  The biggest hacks in history, started with a phone conversation... where the user gave up the pw willingly... because they believed they were talking to the help desk support team.  “Hi this is Dave from IT, your account was locked out I see.  I can unlock it for you, but I have to reset the pw... do you want to keep the pw the same?”  In an environment where extremely high complexity is a requirement... this type of conversation happens frequently and barely any employee would question it.  Martha from accounts payable won’t know what hit her... she will lift up her keyboard and read it out loud without hesitation..,. unless you educate her on what a password should look like and that you nor anyone else should ever know what it is.
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
Given enough TIME, and computing power, any pw can be guessed.  So if it takes a super computer 5 months to guess MyMomIsANinja2015... then the pw expiration period matters the most.
While this is true, the problem is, when the password change comes, they'll just change it to "MyMomIsANinja2016" - and once the hacker has 2015, 2016 is the obvious next guess.  MyMomIsAnOrange, MyMomIsABalloon, MyMomIsACartoon - these will not be guessed quite as easily.

Of course, the problem with passwords is that no one wants to remember a new one so when they change it, they do it using the simplest change they can get away with so they can easily remember it.  

Multi-Factor authentication will provide for a better defense against hackers, but that's not foolproof either.  USER EDUCATION AND BUY-IN is critical.  

My own opinion is keep the numbers out of passwords.  Words are much harder to guess and don't generally provide an obvious next password guess.  But pair that with multi-factor authentication.
Ron MalmsteadInformation Services Manager

Commented:
Except that the computer trying to guess doesn’t “know” if it was “close”.... so any change still renders it useless because all the iterations of possibilities would still have to happen in time.  By then it’s expired and the user already reset it again.

That was an example of course... adding symbol required makes a big difference too.

Nothing is 100% as I said the USER is the biggest security hole in any network.  Pw guessing tends to set off alerts... and log file entries.  It’s easier to just ask.

Keep the standard high complexity... not over kill, so instead of constantly resetting pw’s (via phone and email - insecure) ..you can use the extra time to educate and audit your users.

This is also in line with a zero dollar budget btw 😂
Lee W, MVPTechnology and Business Process Advisor
Most Valuable Expert 2013

Commented:
My point was, in the event someone cracks the hash of 2015, that password will be displayed in its entirety. At which point, any hacker doing the hacking will then just guess that if 2015 fails, try 2016.  If that fails, 2017, etc.  If you skip the numbers you remove the "obvious" next guess.

That said, MFA is a necessity for any business that needs real security at the AD level.
Shaun VermaakSenior Consultant
Awarded 2017
Distinguished Expert 2018

Commented:
Do password audits
https://www.experts-exchange.com/articles/29569/How-to-extract-hashes-from-IFM-backup.html

Create an intelligence password policy
https://www.experts-exchange.com/articles/33078/How-to-create-an-Intelligent-Password-Policy-for-Active-Directory.html

Given enough TIME, and computing power, any pw can be guessed.  
This is only applicable if you have the hashes, impractical against an environment with a lockout policy
Distinguished Expert 2018

Commented:
I wonder why you selected the comment which says "Almost all your requirements can be set via Group Policy." as solution, since you wanted something that could "force" this. GPOs cannot force

- Both upper and lower cases
- A letter in the first space
- Special characters
- Numbers
- No dictionary words, blacklisted words, or patterns that are easy to crack

Please note, although the complexity requirements that GPOs can enforce requires 3 out of 4 character types (alphanumeric, special), it cannot require all 4, so ALL but one of your requirements (that's length) cannot be enforced!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial