Link to home
Start Free TrialLog in
Avatar of David Sankovsky
David SankovskyFlag for Israel

asked on

enforce a more restrictive Password Policy in AD

Hi experts.

I live in a country where Cyber attacks are beoming more and more common, bith against the private sector and the goverment sector.


As Such I want to enforce a more restrictive Password Policy seeing as the default AD password complexity rule will count "Aa123456" as a valid password as it covers the basic rules - it has 3 out of 5 available character types and it's longer than 8 characters.


I tried reading about custom policy filters and the passfilt.dll file but I can't make heads or tails of it. I need a way to enforce a password that covers all of the following:

  1. Must be 8 characters or longer
  2. Must include at least one UpperCase, One LowerCase, One Digit and one special character.
  3. Password MUST begin with a character (either upper or lower but not a digit nor a special character)
  4. Can't contain an asceding or descending set of character longer than 2 characters. (like abc or 654)
  5. Can't contain a repeating set of characters longer then 2 characters (like bb or $$)

Any help you can provide on the matter will be greatly appriciated!

Avatar of Éric Moreau
Éric Moreau
Flag of Canada image

it is also better not to use a word from the dictionary
You need more than the built in Microsoft policy. It can only enforce length and 3/4 character sets, and not be part of username, and password history.

We went with a 3rd party utility that does self service password reset, unlock, and lots of filtering rules. We have rules for consecutive characters, banned phrases/words/strings, and it also does l33+ speak substitution checking too. Can check against dictionaries, and password leaks.
8 characters are far too short to be safe anymore.

If you want fine tuned password policies, you must install 3rd party software such as Anixis' Password Policy Enforcer. https://anixis.com/products/ppe/
Avatar of Hello There
Hello There

If you need all this above, you need a 3rd party product.

Some time ago I posted this:

When applying password policies, you usually want to improve security (that's something that you should be always focused on). You usually want that users:
  • use strong passwords
  • use memorable passwords so they don't write it anywhere
  • change passwords regularly
However, even this has to be done right. Even if you apply "strong" password policies (at least 20 characters, a user has to change the password every 5 days, minimum and maximum password age), it doesn't mean that you do it right. If you will require strong and strict password policies, it's more likely that users will use weak passwords.

For instance, if a user has to use a long password with complexity or has to change it often, he will have to meet requirements but the paradox is that you probably don't improve security. Either a user will use passwords like "Passwordpassword123" and will change it every 5 days to a similar form, or he will use strong passwords like "Th1sIsMyP@$$w0rD" but then expect that they will write it somewhere.

You need to balance it.

A few points to note:
  • Enforce password history (at least 10 passwords remembered)
  • Change passwords regularly (45-90 days)
If you want to use complex passwords:
  • Minimum password length (12-15 characters. If you will require more, users might use weaker passwords)
  • Enable password complexity
Anyway, there are 3rd party solutions (eg. https://anixis.com/products/ppe/).

BUT Rather than the above... Have you heard of passphrases?

Password Management Best Practices

https://hitachi-id.com/documents/password-management-best-practices.php?page=3 

The human element

Users in a large organization frequently have many passwords, each protecting their account on a different system or application. Users are people, not machines, so their ability to securely manage passwords is intrinsically limited. In particular, it is hard for most people to remember:
  • Complicated passwords.
  • Many different passwords.
  • Passwords that change frequently.
  • Passwords for systems that are used infrequently.
Without these constraints, password security would not be a problem and there would be no market for other authentication technologies. For example, if every password was changed every day, was remembered perfectly without being written down and consisted of 100 randomly chosen letters and digits, there would really be no need for authentication technologies other than passwords.
Effective password management is therefore taken to mean password management that is secure, user friendly and supportable within the confines of both technology and human behavior.
When people have trouble remembering their passwords, they usually resort to one or more of the following:
  • Write down their passwords -- and reduce the security of systems to the security of their physical building, desk or wallet.
  • Forget their passwords -- and require frequent assistance from an IT help desk.
  • Choose very simple, easily compromised passwords.
  • Reuse old passwords whenever possible.
Clearly, sound password management practices must take into consideration human limitations, to minimize bad behavior.
Rethinking Password Policies 
http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12471-03_singer_14-19_online.pdf 

Password Vs Passphrase: Here’s 5 Reasons to Use Passphrase

https://www.passworddragon.com/password-vs-passphrase 

So why is passphrase better than passwords?

  1. Passphrases are easier to remember than a random of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
  2. Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.
  3. Satisfies complex rules easily. The use of punctuation, upper and lower cases in Passphrases also meets the complexity requirements for passwords.
  4. Major OS and applications supports passphrase. All major OS including Windows, Linux and Mac allow pass-phrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
  5. Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.



Let’s settle the password vs. passphrase debate once and for all

https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/ 
User generated image

Passwords vs Passphrases Which Is Better For Your Security

https://health.usf.edu/is/blog/2019/04/30/Passwords-vs-Passphrases-Which-Is-Better-For-Your-Security   
ASKER CERTIFIED SOLUTION
Avatar of McKnife
McKnife
Flag of Germany image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Passwords are not obsolete, even with MFA, you still need a relatively strong password, since hackers are also targeting MFA to gain access.
@serialband
If you use a SmartCard, and enforce "smartcard-only" for that domain account, the DC sets the PW to a random 120 character value. It's unknown to the user from then on. Did you know that?
Avatar of David Sankovsky

ASKER

I have checked all other options and it seems that migrating to SmartCards which are inherently already a 2 factor system, I guess I'll move to that. Thank you
That's a wise decision. Next week, I will link my new article here, which I'll be publishing soon. It's largely about my own project.
It's not yet published, but should be visible to you
https://www.experts-exchange.com/articles/36692/Going-passwordless.html
Or isn't it?
Should it be visible to anybody with the link? I get a permission denied.
Ok, good that you let me know.
So it needs to be published, first. Right now, it's complete, but still in editor-review status.
Will let you know when published. Thanks Eric.
Finally my article on going passwordless has been published: https://www.experts-exchange.com/articles/36692/Going-passwordless.html