Avatar of David Sankovsky
David Sankovsky
Flag for Israel asked on

enforce a more restrictive Password Policy in AD

Hi experts.

I live in a country where Cyber attacks are beoming more and more common, bith against the private sector and the goverment sector.


As Such I want to enforce a more restrictive Password Policy seeing as the default AD password complexity rule will count "Aa123456" as a valid password as it covers the basic rules - it has 3 out of 5 available character types and it's longer than 8 characters.


I tried reading about custom policy filters and the passfilt.dll file but I can't make heads or tails of it. I need a way to enforce a password that covers all of the following:

  1. Must be 8 characters or longer
  2. Must include at least one UpperCase, One LowerCase, One Digit and one special character.
  3. Password MUST begin with a character (either upper or lower but not a digit nor a special character)
  4. Can't contain an asceding or descending set of character longer than 2 characters. (like abc or 654)
  5. Can't contain a repeating set of characters longer then 2 characters (like bb or $$)

Any help you can provide on the matter will be greatly appriciated!

Active Directory* Password complexity* information security

Avatar of undefined
Last Comment
McKnife

8/22/2022 - Mon
Éric Moreau

it is also better not to use a word from the dictionary
kevinhsieh

You need more than the built in Microsoft policy. It can only enforce length and 3/4 character sets, and not be part of username, and password history.

We went with a 3rd party utility that does self service password reset, unlock, and lots of filtering rules. We have rules for consecutive characters, banned phrases/words/strings, and it also does l33+ speak substitution checking too. Can check against dictionaries, and password leaks.
serialband

8 characters are far too short to be safe anymore.

If you want fine tuned password policies, you must install 3rd party software such as Anixis' Password Policy Enforcer. https://anixis.com/products/ppe/
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Hello There

If you need all this above, you need a 3rd party product.

Some time ago I posted this:

When applying password policies, you usually want to improve security (that's something that you should be always focused on). You usually want that users:
  • use strong passwords
  • use memorable passwords so they don't write it anywhere
  • change passwords regularly
However, even this has to be done right. Even if you apply "strong" password policies (at least 20 characters, a user has to change the password every 5 days, minimum and maximum password age), it doesn't mean that you do it right. If you will require strong and strict password policies, it's more likely that users will use weak passwords.

For instance, if a user has to use a long password with complexity or has to change it often, he will have to meet requirements but the paradox is that you probably don't improve security. Either a user will use passwords like "Passwordpassword123" and will change it every 5 days to a similar form, or he will use strong passwords like "Th1sIsMyP@$$w0rD" but then expect that they will write it somewhere.

You need to balance it.

A few points to note:
  • Enforce password history (at least 10 passwords remembered)
  • Change passwords regularly (45-90 days)
If you want to use complex passwords:
  • Minimum password length (12-15 characters. If you will require more, users might use weaker passwords)
  • Enable password complexity
Anyway, there are 3rd party solutions (eg. https://anixis.com/products/ppe/).

BUT Rather than the above... Have you heard of passphrases?

Password Management Best Practices

https://hitachi-id.com/documents/password-management-best-practices.php?page=3 

The human element

Users in a large organization frequently have many passwords, each protecting their account on a different system or application. Users are people, not machines, so their ability to securely manage passwords is intrinsically limited. In particular, it is hard for most people to remember:
  • Complicated passwords.
  • Many different passwords.
  • Passwords that change frequently.
  • Passwords for systems that are used infrequently.
Without these constraints, password security would not be a problem and there would be no market for other authentication technologies. For example, if every password was changed every day, was remembered perfectly without being written down and consisted of 100 randomly chosen letters and digits, there would really be no need for authentication technologies other than passwords.
Effective password management is therefore taken to mean password management that is secure, user friendly and supportable within the confines of both technology and human behavior.
When people have trouble remembering their passwords, they usually resort to one or more of the following:
  • Write down their passwords -- and reduce the security of systems to the security of their physical building, desk or wallet.
  • Forget their passwords -- and require frequent assistance from an IT help desk.
  • Choose very simple, easily compromised passwords.
  • Reuse old passwords whenever possible.
Clearly, sound password management practices must take into consideration human limitations, to minimize bad behavior.
Rethinking Password Policies 
http://0b4af6cdc2f0c5998459-c0245c5c937c5dedcca3f1764ecc9b2f.r43.cf2.rackcdn.com/12471-03_singer_14-19_online.pdf 

Password Vs Passphrase: Here’s 5 Reasons to Use Passphrase

https://www.passworddragon.com/password-vs-passphrase 

So why is passphrase better than passwords?

  1. Passphrases are easier to remember than a random of symbols and letters combined together. It would be easier to remember a phrase from your favorite song or your favorite quotation than to remember a short but complicated password.
  2. Passwords are relatively easy to guess or crack by both human and robots. The online criminals have also leveled up and developed state of the art hacking tools that are designed to crack even the most complicated password.
  3. Satisfies complex rules easily. The use of punctuation, upper and lower cases in Passphrases also meets the complexity requirements for passwords.
  4. Major OS and applications supports passphrase. All major OS including Windows, Linux and Mac allow pass-phrases of up to 127 characters long. Hence, you can opt for longer passphrases for maximum security.
  5. Passphrases are next to impossible to crack because most of the highly-efficient password cracking tools breaks down at around 10 characters. Hence, even the most advanced cracking tool won’t be able to guess, brute-force or pre-compute these passphrases.



Let’s settle the password vs. passphrase debate once and for all

https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/ 

Passwords vs Passphrases Which Is Better For Your Security

https://health.usf.edu/is/blog/2019/04/30/Passwords-vs-Passphrases-Which-Is-Better-For-Your-Security   
ASKER CERTIFIED SOLUTION
McKnife

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
serialband

Passwords are not obsolete, even with MFA, you still need a relatively strong password, since hackers are also targeting MFA to gain access.
McKnife

@serialband
If you use a SmartCard, and enforce "smartcard-only" for that domain account, the DC sets the PW to a random 120 character value. It's unknown to the user from then on. Did you know that?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
David Sankovsky

ASKER
I have checked all other options and it seems that migrating to SmartCards which are inherently already a 2 factor system, I guess I'll move to that. Thank you
McKnife

That's a wise decision. Next week, I will link my new article here, which I'll be publishing soon. It's largely about my own project.
McKnife

It's not yet published, but should be visible to you
https://www.experts-exchange.com/articles/36692/Going-passwordless.html
Or isn't it?
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
Éric Moreau

Should it be visible to anybody with the link? I get a permission denied.
McKnife

Ok, good that you let me know.
So it needs to be published, first. Right now, it's complete, but still in editor-review status.
Will let you know when published. Thanks Eric.
McKnife

Finally my article on going passwordless has been published: https://www.experts-exchange.com/articles/36692/Going-passwordless.html
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.