Upcoming Events:
Free Global Active Directory Seminar (Barcelona) -> May 16th
Free Global Active Directory Seminar (Lisbon) -> May 17th
Free Global Active Directory Seminar (Madrid) -> May 18th

The top 3 drawbacks to Microsoft password policies

We have all been living with the Microsoft password policy solution for many years now. It has sufficed, for the most part, untill now, due to password security requirements. There are distinct drawbacks with the Microsoft solution that all corporations need to consider to protect themselves against hackers. Even with Microsoft Windows Server 2012 R2, the password policy is weak and omits some key functions that all password policies should include.

First, all password policies should integrate into the directory service structure, making it easy to deploy the settings. Microsoft password policies, even fine-grained password policies (FGPP), fail to work with the organizational unit (OU) structure that organizations have built and rely on every day. The password policy driven by Group Policy has a “one size fits all” concept, forcing every user in the entire domain to adhere to the same requirements. FGPP allow for multiple password policies in the same domain, but they are not deployed using Group Policy and can only effect users based on group membership.

Second, studies have shown that humans follow distinct behavioral patterns when choosing passwords. For example, most user passwords start with an upper case letter, do not include special characters ($, %, &, etc.), and often increment by single digits for new passwords (Password1, Password2, Password3, etc.). With these concepts in mind, an attacker can eliminate special characters and use the common patterns when trying to crack  the password. A good password policy needs to have controls to prevent users from creating these types of passwords.

Third, to easily remember their passwords, users will often use words that can be found in a dictionary or an attack dictionary. These attack dictionaries often have common dictionary words with character replacements (P@$$w0rd, Am3r!c@, etc.). A good password policy should allow the importation of multiple dictionaries, which are used to check every new password and deny any password that contains a word found in one of the dictionaries.

By overcoming these limitations, an organization can increase the  security level of its passwords. Without such features, the organization is at the liberty of the end user, who might create a weak password that is easy to hack.

The following two tabs change content below.

Derek Melber

Derek Melber is the Technical Evangelist for the ADSolutions team at ManageEngine. As a Directory Services MVP, he is highly highly sought after the world over for his knowledge, insight, and keen understanding of the Windows product line, especially Active Directory. Derek has helped Active Directory administrators, auditors, and security professionals around the world understand the finer points of Active Directory, Group Policy, Group Policy Preferences and Security. He writes for, speaks to, and educates thousands of IT professionals around the world, every year through his blogs, books, seminars, webinars, etc.

Leave a reply