77 percent of hacked passwords comply with Windows default password policy
(Last updated on February 7, 2020)
In the past two years, we have witnessed security breaches from retail giants, reputable banks, entertainment networks, and health insurers. This goes to show, that as far as large organizations are concerned, they are only as strong as their weakest link. In this Global Security Report by Trustwave, which sampled more than 500,000 passwords, it was revealed that 77 percent of hacked passwords complied with password complexity in the Windows default password policy in Active Directory. This included the top password used in a corporate environment this year – Password1. The report further suggests that 38 percent of passwords are only eight characters long, which can be brute force cracked in less than a day.
If your organization is using Windows default password policy, security experts highly recommend that you increase the security by enforcing additional complexity. Windows’s default password policy with complexity turned on only requires a minimum of eight characters, and three of the following character types – lowercase letters, uppercase letters, numbers, special and Unicode. Passwords that meet the above complexity requirements, such as Password1, Hello123 and Welcome1, provide minimal protection for your environment.
Since Windows default password policy is not enough to secure your environment, how about increasing the security of this policy? This is where the challenge begins. In Windows Server 2000/2003, there can only be one password policy for all user accounts in the domain. This limitation means that all users are bound by the same password settings, even if one set of users should have a more stringent policy. Windows 2008/2012 Fine Grained Password Policies (FGPP) supports multiple password policies but there are inherent limitations in setting and using password complexities. For example, FGPP doesn’t allow you to disallow consecutive identical characters or common character types as first/last character. You also don’t get passphrase support or the ability to create custom password dictionaries. This blog provides a side-by-side comparison of key password policy capabilities between Specops Password Policy and FGPP.
Specops Password Policy overcomes all the above-mentioned challenges and takes the complexity out of configuring FGPP. Configuring a password policy for a user group takes a matter of seconds with Specops Password Policy. In addition, Specops Password Policy provides passphrase support which is a feature not available in Windows default or FGPP. Specops Password Policy can be configured to use classic password rules, and/or a passphrase, which can be applied to all users or some users. To further increase security, you have the options to block common and compromised passwords using the combination of custom/online dictionaries and Specops Password Blacklist service.
Want to find out the strength of your password policies? Specops Password Auditor is a free tool that scans your Active Directory, and detects security-related weaknesses, specifically related to password policies.