Password Policy Compliance Report in Specops Password Auditor

Organizations looking to evaluate how well their existing password policies measure up against different compliance standards may benefit from running a free scan with Specops Password Auditor. One of the reports Password Auditor provides is the Password Policy Compliance report.

In this post, we’ll walk through what it looks like and what it means.

What the Password Policy Compliance report looks like

The Password Policy Compliance report in Specops Password Auditor provides an overview of the policies in your Active Directory (or the part of your AD you defined at the start of your scan). Password Auditor will provide results for the Default Domain Password Policy, any Fine-Grained Password Policies , as well as any Specops Password Policies (if installed).

Red, Yellow, Green

The table provides an indicator of how compliant each password policy is against a set of well-known regulatory and industry standards:

  • Red = non-compliant. This means the policy did not meet any of the password requirements outlined by the standard.
  • Yellow = partially compliant. This means the policy meets at least one but not all of the password requirements outlined by the standard.
  • Green = full compliant. This means the policy meets all of the password requirements outlined by the standard.

Entropy

The entropy column is not specifically related to the outlined compliance standards. Instead, it is a measure of how “strong” the passwords allowed by the different policies are. You can read more about the entropy calculation we use here.

What are the different compliance standard requirements and recommendations?

The Password Policy Compliance report gives an overview of how your password policies compare against the following standards:

  • MS Research
  • MS TechNet
  • NCSC
  • NIST
  • PCI
  • SANS Admin
  • SANS Users

While there is some overlap in what each standard requires, no two are exactly the same. Below you can find the details of the standards we’re using to provide the red/yellow/green score in the table.

MS Research

The scores in the MS Research column are measured against the recommendations outlined here:

  • Minimum length = 8
  • Dictionary use (ban common passwords) = yes

Some may see the password requirements here as outdated as they do not speak to blocking the use of compromised passwords like what is possible with a solution like Specops Password Policy with Breached Password Protection.

MS TechNet

The scores in the MS TechNet column are measured against the recommendations outlined here:

  • Minimum length = 14
  • Maximum age = 60 days
  • Password history (prevent the use of the previous X number of passwords) = 24
  • Complexity = 3 of digit, lower, special, Unicode, upper

Some may see the password requirements here as outdated as they do not speak to blocking the use of compromised passwords like what is possible with a solution like Specops Password Policy with Breached Password Protection.

NCSC

The scores in the NCSC column are measured against the recommendations outlined here:

  • Dictionary use (ban common passwords) = yes

If complying with NCSC recommendations is on your list, you may also be interested in the following:

NIST

The scores in the NIST column are measured against the recommendations outlined here:

  • Minimum length = 8
  • Dictionary use (ban common passwords) = yes

If complying with NIST recommendations is on your list, you may also be interested in the following:

PCI

The scores in the PCI column are measured against the recommendations outlined here:

  • Minimum length = 7
  • Maximum age = 90 days
  • Password history (prevent the use of the previous X number of passwords) = 4
  • Complexity = digit, lower

Some may see the password requirements here as outdated as they do not speak to blocking the use of pro compromised passwords like what is possible with a solution like Specops Password Policy with Breached Password Protection.

If complying with NCSC recommendations is on your list, you may also be interested in the following:

SANS

The SANS institute has different recommendations depending on whether the password policy covers admin accounts or just regular end user accounts.

The scores in the SANS Admin column are measured against the recommendations outlined here:

  • Minimum length = 12
  • Maximum age = 90 days
  • Dictionary = yes
  • Complexity = digit, lower, special, upper

The scores in the SANS Normal Users column are measured against the recommendations outlined here:

  • Minimum length = 12
  • Maximum age = 180 days
  • Dictionary = yes
  • Complexity = digit, lower, special, upper

Some may see the password requirements here as outdated as they do not speak to blocking the use of compromised passwords like what is possible with a solution like Specops Password Policy with Breached Password Protection.

Next Steps

Once you’ve run your Specops Password Auditor scan and see that some of your policies may not be in compliance with password policy standards that are important to your organization, you might want to take action and craft a plan to update your policies.

If you are trying to comply with more modern password policy recommendations, you might want to look at a tool like Specops Password Policy. Need help advocating for budget or sign-off? Try exporting your results to PDF within Specops Password Auditor. That PDF is an Executive Summary that summarizes the problem for non-technical colleagues or those who didn’t run the scan themselves.

(Last updated on April 4, 2022)

Back to Blog