How to customize the password complexity message for domain users

(Last updated on May 27, 2021)

Password policies standardize the process of ensuring that end-users choose passwords that meet both business and cybersecurity standards. Microsoft Active Directory Domain Services (ADDS) is commonly used to control identity and access management services in the enterprise, and subsequently manages password policies. While Active Directory provides basic password policy capabilities, it is limited in its functionality for organizations looking for more robust feature sets. One of the best practice recommendations for effective password policies is providing a custom password complexity message during the password change process. Is this possible with Microsoft Active Directory? How can companies effectively implement this with third-party tooling?

Password complexity message

For a password policy to be effective, and limit the helpdesk team’s burden, making password requirements clear to end-users is essential. The password feedback, or password complexity message, can be displayed to the end-user to give clear and meaningful information regarding why a selected password choice fails. The end-user needs to know that the password does not meet the requirements as configured in the password policy, and why it doesn’t meet those.

Industry-standard cybersecurity guidance and best practices recommend password feedback to assist end-users in choosing a strong, robust password for authenticating to business-critical systems. Note the direction found in NIST Special Publication 800-63B – Digital Identity Guidelines:

“When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

  • Passwords obtained from previous breach corpuses.
  • Dictionary words.
  • Repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’).
  • Context-specific words, such as the name of the service, the username, and derivatives thereof.

If the chosen secret is found in the list, the CSP or verifier SHALL advise the subscriber that they need to select a different secret, SHALL provide the reason for rejection, and SHALL require the subscriber to choose a different value.

Providing valuable feedback via a password complexity message to end-users also helps raise awareness of acceptable passwords in the environment. It allows end-users to become more familiar with their role in the organization’s overall cybersecurity.

Active Directory Password Policy shortcomings

The Active Directory Password Policy has been a staple of the enterprise for years now. It has effectively allowed businesses to have an “out-of-the-box” password policy solution to meet their environment’s needs, and is certainly better than having no password policy at all. However, Active Directory Password Policy configuration and capabilities are very basic, and essentially, organizations can create a basic password policy with the various password requirements. However, that is about it.

The default Active Directory Password Policy provides basic configuration settings. These include:

  • Enforce password history
  • Maximum password age
  • Minimum password age
  • Minimum password length
  • Minimum password length audit
  • Password must meet complexity requirements
  • Store passwords using reversible encryption
Default Active Directory Password Policy settings

As you can see, the Password Policy settings are basic and allow no customization of the password complexity message displayed to end-users, among other fully-featured settings missing.

Third-party tools to configure password feedback

There are ways that developers can extend Active Directory, such as writing Password filter .dlls for expanding features to customize password filters. However, in general, organizations will have a much better experience from leveraging third-party tools for full control over password policies in the environment. Specops Password Policy provides a fully-featured solution that allows companies to enforce a very robust Active Directory Password Policy for their environment. Among the capabilities offered, Specops Password Policy enables businesses to provide detailed password feedback to end-users.

Other great features provided by Specops Password Policy include the following:

  • Easy creation and enforcement of custom password dictionaries to filter passwords
  • Breached Password Protection by blocking breached passwords from use in the environment. Specops Software maintains an online database with 2+ billion breached passwords and growing. Customers can either download the password database locally or hit the online database in real-time. This capability ensures that organizations protect users from the latest known breached passwords. If a known user account password becomes breached, Specops Password Policy will automatically flag the account to change the password at the next login. It helps ensure the breached password is changed as soon as possible to prevent introducing long-term risk in the environment.
  • Length-based password aging – You can base password aging intervals on the length of the end-user password. If a user chooses a password that meets the minimum requirements, you can have those passwords age out sooner than complex passwords.

The password feedback capabilities of the Specops Password Policy client allow organizations to help end-users with the existing password policy requirements. As mentioned earlier, this also helps to ease the burden on the helpdesk as end-users are not left guessing the password rules to satisfy password creation requirements. Below is a screenshot of what an end-user sees as a result of the Specops Password Policy password client. As you can see, with Specops Password Policy, the user will note the specific requirements contained in the policy, dynamically displayed as the user creates their new password:   

Detailed password feedback using Specops Password Policy

In the Specops Password Policy Client Message configuration, you have many options. These allow businesses to choose the password complexity message they want to display or even link to an internal site to provide further details and requirements. You can:

  • Show all rules
  • Show only failed rules
  • Show only custom message

Concluding thoughts

Creating and enforcing effective password policies allow businesses to bolster an essential part of their cybersecurity. While Microsoft Active Directory Password Policy provides basic features that enable companies to put a password policy in place, it lacks advanced and robust features to meet modern password policy requirements. These features include password dictionaries, breached password protection, and custom informative end-user messages. The password complexity message can be a can be a good thing to introduce to your password requirements, but leave the complexity out of your end-user messaging with friendly dynamic feedback.

To learn more about Specops Password Policy, click here

brandon lee

Written by

Brandon Lee

Brandon Lee has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.

Back to Blog