- Poll: How reliable are ChatGPT and Bing Chat? - Tue, May 23 2023
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
Group Policy settings
The password policy is configured via Group Policy and can be found at Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy:
Default password policy
The default GPO link in the Group Policy Management console is right under the domain:
Default Domain Policy GPO link
Password policy best practices?
You might think that, because the default Active Directory password policy is used in myriad networks around the globe, it is based on scientific research. More likely is that Abe Singer and Warren Anderson (PDF) are right with their assumption:
Most of the ‘best practices’ in use today are based largely on folklore or, in some cases, on severely outdated theories of password strength.
In the paper, they mostly discuss Microsoft’s best practices.
From the recommendation about the maximum password age, you can infer the exact nature of the data where these best practices come from:
Where security is a concern, good values are 30, 60, or 90 days. Where security is less important, good values are 120, 150, or 180 days.
If you are now confused and still don’t know what maximum password age is good for your network, I recommend that you run the following command, which just translates Microsoft’s recommendation into PowerShell:
Get-Random -minimum 30 -maximum 180
If you can answer the question whether security is “less important or more important,” you can change the parameters accordingly.
Seriously, I can’t take such “best practices” articles seriously. The rest of the article is in the same style. All you know after reading the article is that it is really totally up to you. The truth is that there is no such thing as “best practices” when it comes to password policies. It is like trying to write a general dress code that works for Alaska, Africa, and Amalthea.
Factors influencing the password policy
And this is not only about the level of security a company requires. Another important factor is the technical environment in which your network lives. For instance, it makes a huge difference whether users can log on via the Internet (hopefully VPN) and whether your domain controllers are safe behind a well-configured firewall. Of course, many other factors exist such as network size, physical security, or Windows versions.
Perhaps even more important than technical factors are social factors. The more technical security has improved in our networks, the more important social engineering has become for hackers. Thus, you have to answer the question of what kind of users you have. Are they more like the naïve fellow who would give the password to anyone who claims to be an admin in an email, or have your users been trained against social engineering attacks?
Now, you could say that if it is unclear what password policy is best for your environment, you simply set the strictest policy to be on the safe side. This is most certainly the worst thing you can do. You would only be on the safe side with wasting your company’s money. Tight password policies significantly increase costs because you will need more support personnel to help users with forgotten passwords. Perhaps the lost productivity when users can’t work because they can’t log on (trying to remember all morning the new password they were forced to set yesterday) is even more significant.
So what can you do if no best practices exist for password policies? All I can do is give you a few tips. Much of what I say now is based on views and experience. From the password policy settings you see in the screenshot above, only four really matter: maximum password age, maximum password length, password complexity, and reversible encryption.
Reverse encryption
The last one is easy. Don’t change the default setting of “disabled.” You only have to decrypt Active Directory passwords if you have to sync them with a database. You must have good reasons if you change the default setting because allowing reverse encryption significantly reduces security.
Password complexity
I also wouldn’t change the default password complexity setting. It is true that requiring password complexity makes it more likely that a user will forget the password, but with a little user training you can easily solve the problem. I recommend giving users a procedure that helps them choose a good password that is easy to remember.
One option is to choose a sentence that they can memorize easily and then choose the first letter of each word for the password. Perhaps half of the password could be in capital letters and the other half in lowercase ones. Mix in a non-alphabetic character at the beginning, middle, or end and you have a fine password.
Many security experts recommend setting a random password (such as in the paper mentioned above). This advice typically comes from security experts who are too focused on technology.
I am totally against this practice. This will not only increase costs but also reduce security. Nobody can remember those random passwords. The result is that users will pin the passwords on their monitors. You can tell them a thousand times that they mustn’t do this, but they will do it anyway.
This is not the only security problem. Users will get the passwords from their neighbors to read their emails or, even worse, write emails from the accounts of others. Trust me, they will!
Maximum password length
The default maximum password length is an outdated setting. A password consisting of seven characters is no longer adequate. Many security experts say 10 characters is currently the state of the art, and I agree. This number is not based on folklore but on actual penetration tests. If you give your users tips for thinking of a good password they can easily remember, a password length of 10 is not really a problem.
However, as mentioned above this can't be a general recommendation. Environments exist where no password is fine (test environments without internet access, for instance) and in some situations you need a password where 10 characters appear to be ridcuously small (servers with direct high-speed internet access that store confidential data, for instance). Nobody can remove the responsibilty from you to analyze your own situation. The 10 characters are just the minimum you need in the average brick-and-mortar business.
Maximum password age
With long passwords, you can also be more generous with the maximum password age. This setting is the most crucial one when it comes to annoying users and increasing costs. The default setting of 42 days does not make sense at all to me. As with random passwords, users will start pinning passwords because, at some point, they will get tired of calling the help desk every 42 days.
The maximum password age is supposed to help against brute force attacks. However, it is the worst method for this purpose. Let me cite another paragraph from the Singer-Anderson paper:
The FIPS guidelines actually acknowledge that the load on users created by frequent password changes creates its own risks, which in many contexts outweigh those created by changing a password less frequently.
Much better measures exist against brute force attacks. One is longer passwords.
Also important is the account lockout threshold policy. It is disabled by default, which is not good. I have had good experiences with a maximum of five invalid login attempts.
Default account lockout threshold
This policy protects much better against brute force attacks than does the maximum password age and has the advantage that users don’t blame you if they mistyped the password too often because they know they made a mistake. However, if you set a strict maximum password age, you are the one who prevents them from getting their work done.
In addition, you should have an intrusion detection/prevention solution that detects brute force attacks and illegitimate account usages. These are much more appropriate measures than imposing a maximum password age is.
Security experts may stone me to death for saying this, but disabling the maximum password age altogether is quite fine with me if you follow the other tips above. The security benefits of this policy are not related to its costs. It is better to throw in a manual password reset round if your intrusion detection system discovered unusual activities. And if you are afraid that you will be blamed in case of a security incident, you can set a high maximum password age such as 180 days.
Another thing that is wrong with the default Active Directory password policy is that it applies its setting to the entire domain. Of course, you must differentiate between admins and perhaps also between users depending on rank. I would even set a maximum password age for admins. They are used to handling passwords and often can reset their passwords from a second account. Of course, it would also be helpful if you have a self-service password reset tool for end users. This would allow you to set a stricter password policy.
How did you set the password policy in your domain?
If you change a current policy it will apply to all users which are currently in AD and everyone has to change the password to reflect the changes or just to new users which are created in AD after the policy was modified?
Alex, you don’t to assign policy to all users. You can organize users in containers and then apply the GPO only to selected containers. New computer policies usually apply when the computer is restarted or every 90 minutes. Once a policy is applied to a computer all users who login to this computer are affected.
Thankx Michael; I would need to apply it to all users ( Audit req) but I would like to do it in steps ( we have 12 months to do it…).
As far as I read only when the Maximum Password age is modified it will trigger the change password for all users; If I modify all the other options it will only apply when new password change is triggered by user; difficult to find this info clearly stated by Microsoft.
You mean the password length and the password complexity? I never tried this, but I guess you are right. Only when a user actually has to change the password do these policies become relevant.
Yes, plus all the others:
Enforce password history –
Maximum password ageMinimum password age
Minimum password length
Password must meet complexity requirements
I believe that only the maximum password age when changed it will force all users to change passwords;
of course exception would be for the ones who have: password never expires ( e.g. service accounts).
Yes, I guess the minimum password age probably won’t have an effect either. However, in my view this policy doesn’t really make sense. I think a user should be able to change the password any time.
Well, the only reason is there is so users don’t bypass password history; if you Enforce Password History = 5 ….then most users who don’t want to change passwords every 90 days for example will change the pass 5 times and then put back the old one…
That’s funny. I never experienced such persistent users. I guess users develop such strategies if you force users to change their passwords too often. As outlined in the article, forcing frequent password changes on users doesn’t really help to improve security.
Hi Micheal,
Would you have a step by step document detailing how to setup password policy for users
thanks
I suppose you need an introduction into Group Policy. This one is a bit old, but I think it still applies.
I can confirm that for Domain Level 2008 R2 if you don’t change Maximum Password age users would not be forced to change the password;
I changed:
Enforce password history
Minimum password age
Minimum password length
Password must meet complexity requirements
and only applies to new users or users who decide to chane password
I also changed these:
Account lockout duration
Account lockout threshold
Reset account lockout counter after
which apply to all accounts with immediate effect.
Alex, thanks for the hint!
You mentioned “Maximum password length” in your article. Did you actually mean “MINIMUM password length”? Because we are trying to set a maximum limit and there doesn’t appear to be a way in the Group Policy
If I read this correctly then you are suggesting to change minimum length and lockout policy only. How not changing these is wasting company’s money? Your opening is a bit harsh I’d say
I explained it in the article. Did you read it?
Responding late but I just messed around with Max Pwd Age on a default Win2016 server and noticed the 42. I must believe this is an attempt at humor by using the Answer to the Ultimate Question of Life, the Universe and Everything from Hitchhikers Guide. Here's Adams himself:
“It was a joke. It had to be a number, an ordinary, smallish number, and I chose that one. Binary representations, base thirteen, Tibetan monks are all complete nonsense. I sat at my desk, stared into the garden and thought ‘42 will do.’ I typed it out. End of story.”
Lol. I didn’t notice that even though I am a big Douglas Adams fan. Maybe the author of the max password age policy was aware of the fact that it does not make no sense whatsoever and so he chose 42 to secretly communicate his message so that his superiors won’t notice. 😉
…and thanks for all the comments.