Active Directory password hardening: How it’s done   

Weak passwords are a problem waiting to happen – Verizon estimates that 80% of hacking-related breaches come from weak or stolen passwords. They’re the most common way for people to access their accounts and applications, making them an obvious attack route for bad actors. This risk prompts organizations to go through a ‘password hardening’ process to help improve their overall password security.

The concept of Active Directory password hardening is simple: using a technique or technology to make a password harder to guess, hack, or crack. This in turn enhances the security of the device, network, or application that the password is guarding. We’ll run through some password hardening methods, give a real-world example of a hardened Active Directory password policy, and show you some tools to eliminate weak passwords from your organization for good.

What is password hardening?

Password hardening reduces the attack surface across entire organizations, making hundreds or even thousands of attack windows smaller for cybercriminals. Many organizations rely on Active Directory’s default password settings, which aren’t the most secure. They might also choose to force password resets at set intervals and add specific complexity components (e.g., passwords must be over 8 characters and contain a number, capital, and special character).

However, an old password isn’t always a bad one. And a password with enforced character variety isn’t strong if it’s been previously compromised or follows a pattern that can be easily figured out. The micromanagement of password resets can also lead to user frustration, where they re-use similar passwords or simply add numbers or symbols onto the end of old ones.

Here are four ways to truly harden your password security, without introducing unnecessary user friction.

Three Active Directory password hardening tips

1.      Creating stronger passwords

This part of password hardening seems obvious, but a surprising amount of people still use poor passwords. The usual advice from employers is to add special characters and capitalizations to plain text passwords. However, thanks to predictable human behavior, this doesn’t make them that much harder to guess. For example, many will simply capitalize the first letter and add a common number and symbol combination like 1! to the end.

Most people know a longer password is better – but don’t go far enough. Having a longer password of over 15 or even 20 or more characters is harder to crack than a short but complex one. This is where passphrases can help. Passphrases of random words are longer but also easier for people to remember than jumbled symbols and numbers, offering a good balance of security and user experience. For example, an employee stands a far better chance of remembering ‘Renewable-Cardigan-Escapist’ than ‘su!8fhuw#u@FqwQ’.

2.      Set up multi-factor authentication (MFA)

Adding another step to the authentication process doesn’t make an attacker’s job impossible – but it makes it a lot harder. Requesting biometric factor or using an authenticator linked to a trusted device adds another layer of security without introducing a small amount of added friction for employees.

It’s a worthwhile trade off as it greatly reduces the damage a bad actor can do with access to a compromised password alone and buys time for the organization to react and reset the employees’ password to something new and secure. Check out the NIST guidelines for setting up MFA here.

3.      Avoid compromised passwords

The above two tactics can harden password security within your business, although some passwords that appear strong at first glance may already be compromised. Cybercriminals purchase huge lists of breached passwords, as they know the likelihood of reuse is high. It’s therefore key to make sure employees aren’t using these by checking against an up-to-date breached password list.

So how do you know which employees are persisting with weak, reused, or compromised passwords in the first place? In the past, it’s been hard for companies to know whether employees are using passwords that have been involved in a breach – but with the right tool, it’s simple. Run a quick audit of your Active Directory for free with Specops Password Auditor.

Example of a hardened password policy

We’ll walk through a quick example of password hardening for an individual employee. Let’s start with an imaginary employee’s password that complies with the default Active Directory password settings. They knew not to use anything too obvious like their name, company name etc., so they choose ‘Florence,’ the city they got married in. Active Directory’s default password policy forced the employee to add some special characters, so they settled on the below:


Despite meeting Active Directory’s default requirements, it’s a poor password and is vulnerable to guessing through social engineering. The other problem is the employee uses this password for every login they have – including their personal applications and devices.

The company has decided to embark on password hardening now employees need to have passphrases over 15 characters long and unique for each application. To encourage users to use longer passphrases, the organization can enforce length-based password aging with a third-party password policy tool. This means that a user who chooses a longer password can wait longer before needing to reset it. Here’s an example of a long passphrase the employee finds easy to remember:


It’s not as memorable as the place they got married, but as a one-off password it’s not too hard to remember. To make it even stronger the organization can add a requirement for some numbers and special characters:


Of course, the organizations also need to make sure it’s not already in a list of breached passwords by cross-referencing it with a tool like Specops Password Auditor. Once approved, the employee is instructed to set up MFA as an added layer of authentication and complete a strong level-up in terms of password hardening.

Eliminate weak passwords from your Active Directory

Password security is too important to leave to chance. It’s also too important (and unfair) to push this responsibility entirely onto employees. With the right tools, you can eliminate weak passwords from your organization entirely, improve user experience, and spend less time on helpdesk tickets and manual resets.

Specops Password Policy can quickly and easily push a secure, compliant password policy across your whole organization, exactly like the one in the example we walked through. It integrates with your Active Directory and gives your IT team full visibility plus the control to simplify the management of fine-grained password policies, and target any GPO level, group, user, or computer with dictionary and passphrase settings.

In addition, the Breached Password Protection feature checks all passwords against a continuously updated database of breached and compromised passwords.

Interested in a sophisticated but simple way to automate password hardening across your organization? Request your free Specops Password Policy trial.

(Last updated on June 26, 2023)

picture of author marcus white

Written by

Marcus White

Marcus is a Specops cybersecurity specialist based in the UK. He’s been in the B2B technology sector for 8+ years and has worked closely with products in email security, data loss prevention, endpoint security, and identity and access management.

Back to Blog