What are password complexity requirements?
Certain kinds of passwords are particularly easy for a dedicated hacker to obtain because they lack complexity. Complexity is measured according to how difficult it would be for a hacker to guess a user’s password using obvious information like their name, or to break into their account using a brute force attack. A good example of a password complexity requirement is one that ensures all passwords are at least eight characters long.
Complexity requirements must strike a careful balance—they should be stringent enough to ward off all but the most dedicated of cybercriminals, but not so strict that they frustrate users and flood the help desk with calls. It’s best practice to use some form of password complexity requirement. If the default settings on AD are either too strict or not strict enough for your needs, be sure to replace the policy rather than simply disabling it.
What is password complexity in Group Policy Objects?
Group Policy Objects represent specific groups of users for whom you can set specific password requirements, in much the same way that you grant different groups of users different levels of access to company assets. Creating more onerous Active Directory password complexity requirements for those users with access to more sensitive information, while asking less of the majority of your users, is a great way to minimize the impact on help centers while protecting your most valuable data.
GPOs allow you to perform a number of functions from a security standpoint, including disabling Local Administrator rights, granting administrative permissions to sole individuals or groups, and disabling outdated protocols like SSLv2. It also makes management far easier from a security perspective.
What is the default password policy for AD?
For all versions of Windows software since Windows 2000, default Active Directory password complexity requirements are simple: the user can’t use their own name and has to include different types of characters.
First, a user’s password can’t have their Account Name in it, nor their Full Name. Just like “Password1234,” a password that repeats or slightly modifies your account name is incredibly easy for hackers to guess. This check is overridden if the user’s Account Name or Full Name is less than three characters long. If you have an initial in your Full Name, for example, you won’t be prohibited from using that letter in your password.
Second, passwords have to contain characters from a variety of different categories. These categories include: uppercase letter; lowercase letters; single digits 0-9; special characters like !,&,%,$, or #; and Unicode characters. Under Windows 10’s default password complexity requirements, every password must contain characters from at least three of these categories. This rule, along with the requirement that passwords be at least eight characters long, makes it far harder to break into an account using a brute force attack. Hackers would have to run through at least 218,340,105,584,896 different possibilities in order to gain a single password.
If all this strikes you as being a little complicated, that’s because it is. While AD offers plenty of functionalities for determining who should be subject to what restrictions when it comes to password complexity, keeping track of which groups are subject to what policies can quickly become overwhelming. A resource like SolarWinds® Access Rights Manager can help you improve IT and data security by automating this work.
Access Rights Manager is a powerful and intuitive access rights monitoring and access management system for companies of all sizes that offers threat protection from the inside out. We call it security simplified. It clearly displays group memberships from AD and makes it perfectly clear who has access rights to what file servers. You can also monitor, analyze, and audit AD and Group Policy, as Access Rights Manager creates a ledger detailing who made changes to policies and when, simplifying compliance and reducing risk.
Now that you know about Active Directory password policies and the tools you can use to leverage them, you’ve got what you need to ensure your users are secure and that AD password policy best practices are being followed.