Which Windows Password Policy determines the length of passwords?
Having strong passwords in an Active Directory (AD) network ensures that hackers can’t crack user’s passwords with methods such as brute-force dictionary attacks. Show
By default, in an Active Directory domain, users will be required to change the password every 42 days, and they will not be able to use the same old password, at least for some time. Their password would also need to be seven characters or more, and contain a combination of characters, such as numbers, uppercase, lowercase, and non-alphanumerics. These password settings are good as a starting point, but they might not align with the requirements of your Active Directory organization. In this post, we’ll learn how to configure and set up an Active Directory domain password policy. What is the Default Domain Password PolicyThe Active Directory domain comes with the “Default Domain Password Policy,” which helps to improve security through password hardening. The policy is intended to enforce passwords to have enough complexity, to be longer than usual, and to expire after some time. This policy works great with other policies like the “lockout policy,” which lets you prevent brute force attacks by limiting the allowed number of incorrect logons. To view and edit the requirements of passwords in the Active Directory Domain, you must use the Group Policy Object (GPO) Settings. How to View the current Domain Password PolicyPassword policies are associated with the root domain and are configured through a group policy. To view the current AD domain password policy, follow the next steps:
5. There is another way to get the default password policy for the Active Directory domain using the Powershell, command-line shell. Open the Windows PowerShell command line as an administrator. 6. Enter the command: [Get-ADDefaultDomainPasswordPolicy]. The command output will show you the current Password Policy along with the Lockout Policy settings. The Password Policy SettingsThere are six different password policies that you can configure. 1. Enforce Password HistoryThe “Enforce Password History” specifies the number of previous passwords stored in Active Directory. The setting enforces users to create unique and new passwords by preventing them from reusing old passwords too often. The default value of this setting is 24, which means that the user won’t be able to use the current password only after 24 new passwords have already been used. 2. Maximum Password AgeThe “Maximum Password Age” defines the number of days that a password can be used before it needs to be renewed. It gives the password, an expiration date. Once the password has reached its maximum password age, the system will request a password change. 3. Minimum Password AgeThe “Minimum Password Age” determines the period in days that the password should be used before users need to change it. This setting helps the “Enforce Password History” by denying users to change passwords too often and quickly, to get back to an old password. It is good to configure this value but keep it to a minimum, in case the password gets compromised. The default value is one day. 4. Minimum Password LengthThe Minimum Password Length determines the number of characters in the password. The default for this setting is seven, which means that all passwords will have to be created with at least seven characters. Be careful! If you set this policy with a value of zero, the password will not even be required. 5. Password Must Meet Complexity RequirementsYou can only Enable or Disable this setting. When you enable it, you’ll require users to create complex passwords based on certain guidelines. This setting is enabled by default. The Requirements Are:
6. Store Passwords Using Reversible EncryptionActive Directory encrypts passwords and stores them in the database. Usually, the encrypted passwords can’t be reversed to “plain-text.” But in some cases, users will need to use their passwords with certain apps to gain access to the domain. Most likely, the app won’t be able to decrypt the password, so you’ll need to enable the Reversible Encryption. It is not recommended to enable this setting unless there is a specific need for the application. If you need to enable it, do it on a per-user basis. Password Policy Setting RecommendationsSetting the password policy depends on the type of organization and applications that you are running. Your settings can also be guided by requirements from compliance regulations such as PCI-DSS, HIPAA, SOX, NIST, and more. A good starting point is the very same recommendations from Active Directory developers, Microsoft. The following is a password policy setting recommendation by Microsoft’s Best Practices for Threat Protection.
Configuring a Domain Password PolicyAn Active Directory root domain can only have one password policy applied. When you configure the Default Password Policy, it affects all the computers within that domain. But if you have a group within the same domain that you want to apply a different set of password requirements, you can use the AD DS fine-grained password policies. Although you could create a new GPO within the same domain, apply it with a different password setting, and assign it to a specific Organizational Unit (OU), the settings of the new policy will be ignored. To change the domain password policy, you need to go back to the GPO “Default Domain Policy.” We already mentioned how to access and edit this policy, here is a summary.
Other Password Setting Best PracticesFollowing the Windows guidelines is a great idea, but you can also use other settings outside the domain password policy. For example, the Domain Password Policy works better with the email notifications, account lockout policy, password audits, strong admin passwords, and other third-party tools.
Final WordsUsers are usually the easiest target within a domain network. The account username and password might be the only security measures protecting their computers. The username might be easy to guess, but passwords shouldn’t be acceptable to be weak. They should be complex and difficult to guess. By default, the Default Password Policy is already configured to protect users from creating easy passwords within an AD domain. But in some cases, due to regulations or the use of applications, you might be required to adjust this password policy. If you are going to change the password policy settings, always keep in mind the best practices and recommendations! What is the Windows Password Policy?Microsoft accounts
Password must contain characters from two of the following four categories: Uppercase characters A-Z (Latin alphabet) Lowercase characters a-z (Latin alphabet) Digits 0-9.
What is the length of Microsoft password?Password security starts with creating a strong password. A strong password is: At least 12 characters long but 14 or more is better. A combination of uppercase letters, lowercase letters, numbers, and symbols.
What is the maximum length of password in Windows 10?Of course, with any setting you can have passwords up to 265 characters in length (supported by both AD DS and Azure AD), though Window 10 login GUI limits it to 127 and if you use a Microsoft account to sign in, it is limited to 16.
What is the default password length for a Windows Server domain controller?Default values: 7 on domain controllers. 0 on stand-alone servers.
|