With cyberattacks exploding around the world, it’s more important than ever for organizations to have a robust password policy. Hackers often gain access to corporate networks through legitimate user or admin credentials, leading to security incidents and compliance failures. In this article, we will explore how to create and maintain a strong and effective Active Directory password policy.
How Attackers Compromise Corporate Passwords
Adversaries use a variety of techniques to compromise corporate passwords, including the following:
- Brute force attack — Hackers run programs that enter various potential passwords for a particular user account until they hit upon the right one.
- Dictionary attack — This is a specific form of brute force attack that involves trying words found in the dictionary as possible passwords.
- Password spraying attack — Adversaries try common passwords against multiple user accounts to see if they work.
- Credential stuffing attack — Hackers use automated tools to enter lists of credentials against various company login portals.
- Spidering — Adversaries collect as much information as possible about a hacking target and then try out passwords created using that data.?
How to View and Edit Active Directory Password Policy
To defend against these attacks, organizations need a strong Active Directory password policy. Password policies define rules for password creation, such as minimum length, complexity (like whether a special character is required) and the length of time the password lasts before it must be changed to a different one.
Handpicked related content:
To configure a domain password policy, admins can use Default Domain Policy, a Group Policy object (GPO) that contains settings that affect all objects in the domain. To view or edit this GPO:
- Open the Group Policy Management Console (GPMC).
- Expand the Domains folder, choose the domain whose policy you want to access and choose Group Policy Objects.
- Right-click the Default Domain Policy folder and click Edit.
- Navigate to Computer Configurationà Policiesà Windows Settingsà Security Settingsà Account Policiesà Password Policy.?
Alternatively, you can access your domain password policy by executing the following PowerShell command:
Get-ADDefaultDomainPasswordPolicy?
Remember, any changes you make to a domain’s default password policy apply to every account in that domain. You can create and manage fine-grained password policies using the Active Directory Management Center (ADAC) in Windows Server.?
Understanding AD Password Policy Settings
Here are the six password policy settings and their default values:
- Enforce password history — Default is 24. This setting specifies the number of unique passwords users must create before reusing an old password. Keeping the default value is recommended to reduce the risk of users having passwords that have been compromised.
- Maximum password age — Default is 42. This setting establishes how long a password can exist before the system forces the user to change it. Users typically get a pop-up warning when they reach the end of their password expiration period. You can check this setting through PowerShell by executing the command net user USERNAME/domain. Keep in mind that forcing frequent password changes can lead to users writing their passwords down or simply appending the month to a stem word they reuse, practices that actually increase security risks. Setting “Maximum password age” to 0 means that passwords never expire (which is generally not recommended).
- Minimum password age — Default is 1 day. This setting specifies how long a password must exist before the user is permitted to change it. Setting a minimum age keeps users from resetting their password repeatedly to circumvent the “Enforce password history” setting and reuse a favorite password immediately.
- Minimum password length — Default is 7. This setting establishes the fewest number of characters a password can have. While shorter passwords are easier for hackers to crack, requiring really long passwords can lead to lockouts from mistyping and to security risks from users writing down their passwords. Best practices recommend a minimum password length of at least 8.
- Complexity requirements — Default is Enabled. This setting details the types of characters a user must include in a password string. Best practices used to recommend leaving this setting enabled, but password length is now seen as a better strategy than complexity or frequent changes. Complexity requirements typically require the password to include a mix of:
- Upper or lowercase letters (A through Z and a through z)
- Numeric characters (0–9)
- Non-alphanumeric characters like $, # or %
- No more than two symbols from the user’s account name or display name
- Store passwords using reversible encryption — Default is Disabled. This setting offers support for apps that require users to enter a password for authentication. Admins should keep this setting disabled because enabling it would allow attackers familiar with how break this encryption to log into the network once they compromise the account. As an exception, you can enable this setting when using Internet Authentication Services (IAS) or the Challenge Handshake Authentication Protocol (CHAP).
Handpicked related content:
Fine-Grained Policy and How It’s Configured
Older versions of AD allowed the creation of just one password policy for each domain. The introduction of fine-grained password policies (FGPP) has made it possible for admins to create multiple password policies to better meet business needs. For example, you might want to require admin accounts to use more complex passwords than regular user accounts. It’s important that you define your organizational structure thoughtfully so it maps to your desired password policies.
While you define the default domain password policy within a GPO, FGPPs are set in password settings objects (PSOs). To set them up, open the ADAC, click on your domain, navigate to the System folder and then click on the Password Settings Container.
NIST SP 800-63 Password Guidelines
The National Institute of Standards (NIST) is a federal agency charged with issuing controls and requirements around managing digital identities. Special Publication 800-63B covers standards for passwords. Revision 3 of SP 800-63B, issued in 2017 and updated in 2019, is the current standard.
These guidelines provide organizations with a foundation for building a robust password security infrastructure. NIST recommendations include the following:
- Require user-generated passwords to be at least 8 characters long (6 for machine-generated ones).
- Allow users to create passwords up to 64 characters long.
- Allow users to use any ASCII/Unicode characters in their passwords.
- Disallow passwords with sequential (“12345” or “abcd”) or repeated (“kkkk”) characters.
- Do not require frequent password changes. Although for years, many organizations have required users to change their passwords frequently, this policy often leads to users making incremental changes to a base password, writing their passwords down, or experiencing lockouts because they forget their new passwords. Accordingly, the latest NIST 800-63B standards call for using password expiration policies carefully. More recent research suggests that better alternatives include using banned password lists, using longer passphrases and enforcing multi-factor authentication (MFA) for additional security.
AD Password Policy Best Practices
Summary of Best Practices
- Set a minimum password length of at least 8 characters.
- Enforce a password history policy that looks back at the last 10 passwords of a user.
- Make the minimum password age 3 days to keeps users from quickly rotating through historical passwords and setting a previous one.
- Check proposed new passwords against banned password lists, lists of breached passwords and password dictionaries.
- Reset local admin passwords every 180 days (consider using the free Netwrix Bulk Password Reset tool for that).
- Reset device account passwords at least once per year.
- Require passwords for domain admin accounts to be at least 15 characters long.
- Set up email notifications to let users know passwords are about to expire (the free Netwrix Password Expiration Notifier tool can help).
- Consider creating granular password policies to link with specific organizational units instead of editing the Default Domain Policy settings.
- Consider using password management tools to store passwords.
- Enable users them to change passwords via a web browser and help them pick compliant new passwords.
- Set up account lockout policies to avoid brute force attacks.
For more information, read our password policy best practices for strong security in AD.
User Training
User training is as crucial as your password policy. Educate your users on the following rules of behavior:
- Don’t write down passwords. Instead, pick strong passwords or passphrases you can recall easily, and use a password management tool.
- Don’t type your password when anyone is watching.
- Understand that URLs beginning with “HTTPS://” are more secure than those that begin with “HTTP://”.
- Don’t use the same password for multiple websites that provide access to sensitive information.
FAQ
How do I find and edit my Active Directory password policy?
You can find your current AD password policy for a specific domain either by navigating to Computer Configuration-> Policies -> Windows Settings -> Security Settings -> Account Policies ->Password Policy via the management console, or by using the PowerShell command Get-ADDefaultDomainPasswordPolicy.
Are passwords encrypted in Active Directory?
Yes. Passwords created by a user go through a hashing algorithm that encrypts them.
What is Active Directory password complexity?
Complexity requirementscontrol the characters that cannot or cannot be included in a password.For example, users might be prevented from using sequential characters or digits, or required to include at least one number and one lowercase letter in the password.
What is Windows Server password policy?
Windows Server password policy controls passwords for accessing Windows servers.
How do I find, edit or disable a password policy in Windows Server?
Locate the GPO through the Group Policy Management Console and click Edit.
What is a good password policy?
Best practices include the following:
- Make users create at least 10 new passwords before reusing an old one.
- Compare proposed new passwords against lists of breached passwords and password dictionaries.
- Apply a minimum password age of 3 days.
- Make users create passwords that are at least 8 characters long.
- Disable reversible encryption.
Jeff Melnick
Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.
FAQs
What are the best practices for password policy in Microsoft Active Directory? ›
Best practices for password policy
Enforce password history policy with at least 10 previous passwords remembered. Set a minimum password age of 3 days. Enable the setting that requires passwords to meet complexity requirements. This setting can be disabled for passphrases but it is not recommended.
An Active Directory password policy is a set of rules that define what passwords are allowed in an organization, and how long they are valid. The policy is enforced for all users as part of the Default Domain Policy Group Policy object, or by applying a fine-grained password policy (FGPP) to security groups.
What is the default password policy in Active Directory? ›By default, the Active Directory domain password policy has the following settings: Enforce password history – the default value is 24 passwords. This means users can use a password again until 24 passwords later.
How do you set a policy in Active Directory? ›Open Group Policy Management by navigating to the Start menu > Windows Administrative Tools, then select Group Policy Management. Right-click Group Policy Objects, then select New to create a new GPO. Enter a name for the new GPO that you can identify what it is for easily, then click OK.
How do I apply a policy in Active Directory? ›Open the Group Policy Management console. In the navigation pane, expand Forest:YourForestName, expand Domains, expand YourDomainName, and then click Group Policy Objects. Click Action, and then click New. In the Name text box, type the name for your new GPO.
What are the 4 recommended password practices? ›- Never reveal your passwords to others. ...
- Use different passwords for different accounts. ...
- Use multi-factor authentication (MFA). ...
- Length trumps complexity. ...
- Make passwords that are hard to guess but easy to remember.
- Complexity still counts. ...
- Use a password manager.
...
Valid protocols are:
- http.
- https.
- mailto.
- Valid for 10 days.
- Minimum of 10 characters in length.
- Maximum of 20 characters in length.
- Must have at least two special characters.
- User must change default password during initial log in.
- Number of passwords to keep in history.
Understanding AD Password Policy Settings. Here are the six password policy settings and their default values: Enforce password history — Default is 24. This setting specifies the number of unique passwords users must create before reusing an old password.
How do I change the minimum password age in Active Directory? ›Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum Password Age" to at least "2" day.
Can you have multiple password policies in Active Directory? ›
In newer versions of AD, you can create multiple password policies for different users or groups using the Fine-Grained Password Policies (FGPP). Grained Password Policies let you create and enforce different Password Settings Objects (PSOs).
What are password policy requirements? ›A password policy defines the password strength rules that are used to determine whether a new password is valid. A password strength rule is a rule to which a password must conform. For example, password strength rules might specify that the minimum number of characters of a password must be 5.
How do I enforce password policy in Windows 10? ›Click on the Account Policies setting, followed by the Password Policy option. Password Policy options. Enforce password history: This allows the user to define the number of unique passwords allowed per user before reusing the old password.
What is an Active Directory policy? ›What is Active Directory Group Policy? AD Group Policies are critical pieces of instructions in an AD environment that an IT administrator can configure. AD group policies will determine the behavior and privileges for users and computers. Group Policies are primarily a security solution for the AD network.
How do I manage permissions in Active Directory? ›Go to AD Mgmt > File Server Management > Modify NTFS permissions. Choose which folders you want to enable a user or group access to. Now go to the Accounts section and choose the users or groups you want to grant permission to access the folder. Finalize the changes by clicking Modify.
How do I view and set LDAP policy in Active Directory? ›- At the Ntdsutil.exe command prompt, type LDAP policies , and then press ENTER.
- At the LDAP policy command prompt, type Set <setting> to <variable> , and then press ENTER. ...
- You can use the Show Values command to verify your changes. ...
- When you finish, type q , and then press ENTER.
An Active Directory environment means that you must have at least one server with the Active Directory Domain Services installed. Group Policy allows you to centralize the management of computers on your network without having to physically go to and configure each computer individually.
How do I view Active Directory policies? ›Click the 'AD Mgmt' tab. In 'GPO Management' section click on the 'GPO Management' link. In the 'Group Policy Management' pane on the left hand side, click on 'All Domains' to expand the link and view all the configured domains. Click on the required Domain/OU.
Where are Active Directory policies stored? ›Local Group Policy is stored in the “%windir%\system32\grouppolicy directory (usually, C:\windows\system32\grouppolicy). Each policy you create gets its own folder, named with the security ID (SID) of the corresponding user object.
What are 5 characteristics of a strong password policy? ›- At least 12 characters long but 14 or more is better.
- A combination of uppercase letters, lowercase letters, numbers, and symbols.
- Not a word that can be found in a dictionary or the name of a person, character, product, or organization.
- Significantly different from your previous passwords.
What are the best password policy practices 2022? ›
Password security best practices for every employee
Passwords should be 8-12 characters long. Use a mix of letters, numbers, and symbols. Vary with upper case and lower case letters (in applicable languages). Avoid recycling the same password across multiple accounts.
Which method is recommended to manage passwords? Use a password manager.
How do you enforce a strong password policy? ›- Enforce Password History. Do not use the same password for every site, application and service. ...
- Set Maximum Password Age. ...
- Set Minimum Password Age. ...
- Limit Login Time. ...
- Send Email Notifications. ...
- Set Complexity Requirements. ...
- Create a Passphrase. ...
- Implement Multi-Factor Authentication.
Boomi previously enforced a password policy of two of three groups: alpha, numeric, and special characters. If the password policy is set to contain three or more groups, users are prompted to change their password to comply with this policy the next time they attempt to sign in.
What are the 3 main types of password attacks? ›- Phishing. Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. ...
- Man-in-the-Middle Attack. ...
- Brute Force Attack. ...
- Dictionary Attack. ...
- Credential Stuffing. ...
- Keyloggers.
How are passwords stored in Active Directory? Passwords stored in AD are hashed. Meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters.
How many password policies per domain? ›Therefore, there can be only one password policy for all of the domain users in a single domain. To see the resulting password policy, you can run secpol. msc from the command line of any of the domain controllers in your domain.
How do I change multiple user passwords in Active Directory? ›- Logon to ADManager Plus and click the Management tab.
- Go to the User Management section and select the Reset Password feature under the Bulk User Modification section.
Set Maximum password age to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
What is maximum password age policy? ›The Maximum password age policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0.
How to check maximum password age in Active Directory? ›
Checking Password Expiration Date with the Net User command
A really easy way to tell when an AD user account password expires is to use the Net User command. This command is part of the “net commands” that allows you to add, remove, or modify the user account on a computer.
Require a combination of symbols, letters, and characters (yes, all of them). Authentication. If available, use 2-factor authentication for sensitive data. The most common form is a password followed by a security question.
What is the difference between fine-grained password policy and GPO in AD? ›The fine-grained password policy (FGPP) is specific to Microsoft Active Directory. The password settings in a group policy object (GPO) are applied at the domain level only. If you have multiple organizational units (OU or departments) or groups, you cannot enforce password settings at the OU or group level.
What is the difference between default domain password policy and fine-grained password policy? ›Unlike the default password and account lockout domain policies, Fine-Grained Password Policies are set in password settings objects (PSO) in AD and not using Group Policy. There are two main ways you can configure PSOs: Using the Active Directory Administrative Center (ADAC) Using PowerShell.
What is one problem with most password policies? ›Password policies fail to solve the wider problems of user authentication. Even in the unlikely event that a policy is strong, up-to-date, and adhered to by all members of staff, password policies ultimately fail to solve the inherent weaknesses of credentials as an authentication mechanism.
What are the three levels of password protection? ›The three different levels used in the 3-level password authentication scheme are image ordering, color pixels and the one-time password (OTP).
What are three 3 best practices for creating and using passwords? ›- Create A Strong, Long Passphrase. ...
- The US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember and difficult to crack. ...
- Apply Password Encryption. ...
- Implement Two-Factor Authentication. ...
- Add Advanced Authentication Methods.
A strong password must be at least 8 characters long. It should not contain any of your personal information — specifically, your real name, username or your company name. It must be very unique from your previously used passwords. It should not contain any word spelled completely.
What is the best practice for domain admin password? ›For the domain admin account use long 20+ characters password. Ideally the domain admin accounts password should be locked away so only senior staff members know the password in emergencies. Another way to keep your account secure is to enable the smart card, deny log on as a service, batch job, or through RDP.
What are the best practices of NIST password policy? ›NIST now recommends a password policy that requires all user-created passwords to be at least 8 characters in length, and all machine-generated passwords to be at least 6 characters in length. Additionally, it's recommended to allow passwords to be at least 64 characters as a maximum length.
What are the 5 basic rules to follow to create a really strong password? ›
- At least 12 characters long but 14 or more is better.
- A combination of uppercase letters, lowercase letters, numbers, and symbols.
- Not a word that can be found in a dictionary or the name of a person, character, product, or organization.
- Significantly different from your previous passwords.
The Drawbacks of Password Complexity Rules
Password complexity only scales up to a certain point. Beyond a certain point, a complex password can be difficult to crack if the number of possible combinations is extremely high, but it can also be too complex to be useful to users.
You can find your current AD password policy for a specific domain either by navigating to Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy via the management console, or by using the PowerShell command Get-ADDefaultDomainPasswordPolicy.
How do I make Active Directory more secure? ›- Restrict use of privileged domain accounts. ...
- Use secure administrative hosts for privileged AD access. ...
- Monitor Windows Event Log for signs of Active Directory security compromise.
- Audit Active Directory security periodically for misconfigurations and over-privileged users.
Administrators group have full permission on all domain controllers in the domain. By default, domain Admins group is members of local administrators group of each members machine in the domain. It's also members of administrators group . So Domain Admins group has more permissions then Administrators group.
What are the three types of security controls NIST? ›System-specific controls—controls that provide a security capability for a particular information system only; Common controls—controls that provide a security capability for multiple information systems; or Hybrid controls—controls that have both system-specific and common characteristics.
What are the five critical pillars regarding policy framework from the NIST? ›The five domains in the NIST framework are the pillars support the creation of a holistic and successful cybersecurity plan. They include identify, protect, detect, respond, and recover.
Does NIST no longer recommend changing passwords? ›The NIST Alternative to Periodic Password Changes
Instead of password expiration policies, NIST points to a better alternative: enforcing a password list. Also known as a password deny list, banned password list, or password dictionary, such a list contains password values known to be commonly used or compromised.