Flexible Security For Your Peace of Mind

Password length best practices

When it comes to creating strong passwords, the single most important factor is the length of the password. As long as a password isn’t easily guessable by other means (e.g. use of common words, username, repeating characters) length is your best friend for mitigating brute force attacks.

Let’s consider passwords that only use lowercase letters.  For an 8 character password, there are 268 possible passwords, which might seem like a large number.  And it is — roughly 208 trillion possibilities.  However modern computers are exceedingly fast; a computer could churn through every possible password given these requirements in a few hours, a high-end multi-threaded machine might get that time frame down to a few minutes or even a few seconds.  To make the math easier, let’s say we have a really powerful computer that can churn through this list in exactly 1 minute.

Now consider if we added the traditional ”complexity” rules and we now require one of each: an uppercase letter, a lowercase letter, a digit, a number, and special character but leave our length requirement at 8.  So each character position could be 26 + 26 + 10 (digits) + 32 (special characters available as keys on a US English keyboard, excluding alt codes, etc.) == 94 characters.  For an 8 character password, 948 is around 6 quintillion  — ~29,000 times as many possibilities as the all-lowercase password.  So a computer that can check our 208 trillion all-lowercase passwords would take about 3 weeks to check all possibilities here.  Impressive, but still not bulletproof.

However we must consider the reality: users are human.  So while there are 948 possible passwords, the set of actual passwords that humans might choose is likely much smaller than that.  How many of your users do you think have passwords that looks like this:

Abcdef1!

If the first character is always an uppercase letter, characters 2-6 are lowercase letters, then characters 7 and 8 are 1 and ! – that leaves just 266 possibilities, or 308 Billion – significantly worse than our all-lowercase password.  That virtual supercomputer that could check 208 Trillion passwords in 60 seconds would take under a tenth of a second to try 308 Billion possible passwords that match this pattern.

Seeing that forced complexity isn’t perfect in theory and is potentially even worse in practice, let’s see what increasing the length does.  Again just using the 26 lowercase letters as possible for consideration, each time we add a character the number of possibilities multiplies by 26.  A 9 character password could be any of 5  quintillion possibilities (26 minutes) – so adding just one lowercase letter is already approaching the 6 quintillion theoretical possibilities of and 8-character ”complex” password.   Let’s keep multiplying by 26:

10 characters is 141 quintillion possible passwords (11 hours).

16 character password is now 208 trillion times 208 trillion possibilities – 208 trillion times harder to guess than the 8 character password!

Maximum password length

Your passwords have to get quite long before you run into any limitations in the Windows world: the maximum length of a password supported by Active Directory is 256 characters. The maximum length of a password that a human user could actually type to log into Windows in 127 characters (the limitation is in the Windows GUI).

127 is probably quite impractical for a user to type, but might be good for admin accounts where passwords are checked out and copied and pasted from a password vault. Service account passwords that are almost never typed and possibly rarely changed (if ever) could stand to be longer still.

Applications that use AD/LDAP for authentication may have their own limits, unfortunately they are sometimes much shorter than we would like. If you do have an upper limit imposed by a 3rd party application, Specops Password Policy can help there by enforcing a maximum password age in AD to prevent users from choosing passwords that would be unusable in other applications.

Minimum password length in Active Directory

Default domain policy / password policy

Typically configured either in your Default Domain GPO, or any other GPO linked directly at the root of the domain.  You can set a maximum minimum length of 14 characters by this method (run a gpupdate on your PDC emulator for any changes to take effect).

You can also edit the minPwdLength attribute in ADSI edit directly:

Fine-grained password policies

For setting longer minimum length requirements for different sets of users, you can use Fine Grained Password Policies (FGPP).  Beginning in Windows 2012, FGPP also supports minimum lengths longer than 14 characters.

Creating a FGPP used to involve going into ADSIEdit and manually creating a Password Settings Container object there.  However with Windows Server 2016 Microsoft added the Active Directory Admin Center, which streamlines the process considerably.

If ADAC is not installed, add it using Roles & Features wizard, or from an admin PowerShell:

>install-windowsfeature RSAT-AD-AdminCenter

In ADAC, navigate to System -> Password Settings Container under your domain.

In the Tasks area to the right, New -> Password Settings.

Configure your desired rule set, as well as add users or groups to the ”Directly Applies To” section.

The maximum password length here can be go all the way up to 255 characters (though again, watch out for limitations on password fields.  For example: Logon credentials for Windows services cannot exceed 251 characters).

 

Now to set a password that long, a ”programmatic” interface such as PowerShell is ideal.  Here’s an example (with the real password replaced by *s).

$newPasswordText = ”************************************************************** ********************************************************************************** ********************************************************************************** *************************”

$newPassword = convertto-securestring -string $newPasswordText -asplaintext -force

set-adaccountpassword -identity svc-password-test -newpassword $newPassword -reset

Long but easily guessed passwords – what to do

Now we have talked considerably about password length and why it’s important, but remember that’s not the entire story when it comes to modern password recommendations.  A long password is a strong password, however it’s still not any good if it contains your username or other easily guessable words such as the name of the organization.  If my password were ”SpecopsSoftware1!” it’s quite long, and that’s good.  However if someone wanted to guess my Specops account password, this would be a fairly easy guess.  Similarly, if I was allowed to chase a minimum length requirement with a repeating character — e.g.”Specops11111111” — that wouldn’t be much harder to guess than ”Specops1”

With Specops Password Policy, you can help ensure that your longer password length requirement isn’t entirely for naught.  With Specops Password Policy, you can block common dictionary words – case insensitive, and with detection for common character substitution), detect and block repeating characters.  So ”SpecopsSoftware1!” would be blocked, as would ”Specops11111111” or even ”Sp3c0psS0ftw@re1!”

With Specops Password Blacklist you can also block over a billion known leaked passwords.  A long password is no good if it’s known to hackers.

Length-Based Password Aging

With Specops Password Policy 7.1 we are introducing a new feature: length-based password aging.  With this feature enabled, you can reward you users for selecting a longer password by extending the time until they’ll need to change their password again or even letting them keep that long password forever.

Check out this recent review of Specops Password Policy for more information about the product.

  • Was this Helpful ?
  • Yes   No

Tags: ,

>

Written by

Darren Siegel

Product Specialist, Specops Software

More Articles
Back to Blog

Related Articles

  • Password expiration policy best practice

    Instead of arbitrarily expiring passwords every 90 or so days, why not configure the maximum password age based on the complexity level of a password?

    Read More
  • Specops encourages longer passwords with length-based password aging

    Stockholm, May 15, 2019 – Specops Software announced today the release of Specops Password Policy 7.1. The release introduces length-based password aging which correlates the password expiration period with the length of the password – the longer the password, the longer the expiration period. This feature promotes longer passwords by loosening frequent password changes when…

    Read More
  • Finding users who have not changed their password recently

    One of the primary challenges with implementing a new password policy in Active Directory is ensuring users have changed their passwords to be compliant with that new policy. As we cannot view users’ current passwords in plain text to confirm they meet length and complexity requirements (and in the case of Specops Password Policy, do…

    Read More

© 2019 Specops Software. All rights reserved. Privacy and Data Policy