The Windows Active Directory password policy has remained pretty much the same for over 18 years. Meanwhile, hackers have found sophisticated methods such as dictionary and brute-force attacks to blast through weak passwords. Many security experts have advocated against the use of the default Windows password policy. In his white paper titled “Thwarting hackers with better Active Directory password policies,” Active Directory MVP Derek Melber talks about how there are significant limitations and security issues in AD password policies. If you are still using one, then you have a serious security problem.
So how can you improve password security? Based on my personal experience and interactions with security experts, here are a few tips that you should follow to boost password security in your organization:
- Make passwords 15 characters or more: A password containing eight characters can be cracked in five hours, while a password containing 15 or more characters will take years to crack. Moreover, a 15-character password means the NTLM protocol won’t be used for authentication. The NTLM protocol supports a maximum of only 14 characters for passwords, and is generally considered weak in terms of security.
- Add multiple complexity requirements: Always enforce multiple complexity requirements for passwords. Make uppercase and lowercase letters, special characters and digits mandatory. Having multiple complexity requirements improves password security because attackers often don’t include all of these complexity requirements when trying to brute force their way in or when using rainbow tables to hack passwords.
- Ban dictionary words: One of the most used password cracking methods is the dictionary attack. In a dictionary attack, hackers use both language and password dictionaries to guess words that might be in passwords. So, it’s crucial that you have a measure in place to prevent users from creating passwords that are present in such dictionaries.
- Prevent keyboard and repeating patterns: If dictionary words don’t work, hackers usually try keyboard patterns, such as QWERTY, 12345, ASDFG, etc., to crack passwords. They will also try repeated characters, consecutive characters from user names and palindromes. Make sure you prevent the use of such patterns outright.
- Apply different policies based on users’ privileges: More stringent password policies will lead to users forgetting their passwords frequently, which in turn affects users’ productivity and increases service desk costs. To overcome this issue, cover privileged accounts with tighter password policies and implement a somewhat lenient password policy for normal user accounts.
Unfortunately, Active Directory doesn’t support most of the above functionalities. You need a solution like ManageEngine’s ADSelfService Plus—an integrated self-service password management and single sign-on solution—to improve password security in Active Directory. ADSelfService Plus supports advanced password policy rules to improve password security and ward off hackers. It lets admins create multiple password policies for a single Active Directory domain and assign them to groups and organizational units separately. You can also enable pass phrases instead of configuring password policy rules. Download ADSelfService Plus from here.
As a bonus, I would like to point you to a free tool that will help you find users with weak passwords in Active Directory. Get the free tool here.
Radhakrishnan Arumugam is a Senior Product Marketing Manager at ManageEngine. With extensive knowledge in identity and access management (IAM) field, he helps solve challenges faced by IT admins across the globe.