How Attackers Use Graphs to Attack AD
Securing Active Directory
Derek Melber
Securing Passwords: Understanding Complexity Requirements
In a world pushing for MFA, there are still some—okay, most—that rely on passwords alone to help secure their user account access into Active Directory and other network resources. Establishing a password policy that both works for security and is realistic for users can be a difficult task. The one thing to keep in mind is that security has never been easy. Ensuring your users have a secure environment is paramount, but they also need to be able to work within the confines of what you establish.
Complexity requirements for passwords, which can be seen in Figure 1, are an essential part of ensuring user passwords are secure within Active Directory. In my opinion, it is essential that this setting be enabled for every installation of AD. Whether you are a small shop or a huge worldwide organization, the complexity requirements are key to securing passwords.
I often get asked what the password complexity setting actual does. Here is a simple list of the different components for the passwords to meet complexity requirements:Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
• Be at least six characters in length
• Contain characters from three of the following four categories:
– English uppercase characters (A through Z)
– English lowercase characters (a through z)
– Base 10 digits (0 through 9)
– Non-alphabetic characters (for example, !, $, #, %)
A few caveats regarding the Active Directory complexity requirements:
- They can’t be altered without modifying the inner workings of the filter (or using a third-party product)
- Fine-grained password policies have the same setting and the same restrictions/limits but can help define different levels of password policies for different people
- If the minimum password length is set to seven or more characters, it will override the six characters defined in this setting
Finally, I will add that the complexity requirements are not great security. However, without this being set, the chances of your users inputting a password that can be hacked in minutes is slim. I do suggest moving to TFA/MFA authentication for logons, network access, and resource access.