Upcoming Events:
Free Global Active Directory Seminar (Barcelona) -> May 16th
Free Global Active Directory Seminar (Lisbon) -> May 17th
Free Global Active Directory Seminar (Madrid) -> May 18th

Three neglected password policy tips that increase security

Most organizations are familiar with the Microsoft password policy and the features it provides. The password policy from Microsoft for Active Directory domains has been the same for over 17 years now. Some organizations have taken the initiative to implement multi-factor authentication, but for most organizations, these technologies are expensive, cumbersome, complex, and require end user training and support. When multi-factor authentication is not possible, organizations should consider additional controls to help protect passwords where possible.

First, passwords should be 15 characters or more. There have been debates for years over what the proper minimum length a password should be for security. There is no proper minimum length, but there are considerations that should be included in your implementation. The reason for a 15 character minimum length is due to LAN Manager (LM) authentication protocol. LM (and even NTLM) have a 14 character maximum for their passwords. This is a hard-coded limitation going back to Windows 3.11. So, if a 15 character password is entered, LM and NTLM can not be used as the authentication protocol. This is important as passwords that support LM/NTLM are weak and can be easily compromised.

Second, passwords should contain special characters. Attackers know that users rarely use special characters in their passwords. So, attackers will often not include special characters when trying to force their way in or will use rainbow tables to hack passwords. The inclusion of a special character in a password will prevent these password-cracking technologies from working.

Third, users should not be allowed to include words in their passwords that are in dictionaries. Nearly every password-cracking tool has the ability to import dictionaries (language and attack) as the foundation for the words to crack passwords. With such an easy solution available for cracking passwords, it’s crucial to have a simple security measure in place to ensure newly created passwords do not contain words that are in such dictionaries. With this simple measure, the use of dictionaries to crack passwords will no longer be possible.

Every additional feature, technology, or concept that is implemented to improve the overall makeup of your passwords helps secure each and every password created. We must stay ahead of the attackers and password crackers. These small yet powerful tips can increase security for all of your passwords.

The following two tabs change content below.

Derek Melber

Derek Melber is the Technical Evangelist for the ADSolutions team at ManageEngine. As a Directory Services MVP, he is highly highly sought after the world over for his knowledge, insight, and keen understanding of the Windows product line, especially Active Directory. Derek has helped Active Directory administrators, auditors, and security professionals around the world understand the finer points of Active Directory, Group Policy, Group Policy Preferences and Security. He writes for, speaks to, and educates thousands of IT professionals around the world, every year through his blogs, books, seminars, webinars, etc.

Leave a reply