Password policy enforcement
(Last updated on September 4, 2020)
One of the most critical things that organizations must do in order to ensure the security of their user accounts is to establish a strong password policy, and then ensure that the policy is being enforced.
The Windows operating system provides a number of tools for password policy enforcement, in the form of group policy settings. You can find these settings within the Group Policy Object Editor at Computer Configuration \ Windows Settings \ Security Settings \ Account Policies \ Password Policy. There are currently eight individual group policy settings related to password policy enforcement. These settings include:
- Enforce Password History – The Enforce Password History setting tells Windows how many of the user’s previously used passwords it should remember. These passwords cannot be reused for as long as they remain in the password history list.
- Maximum Password Age – The Maximum Password Age setting determines how frequently users will be required to reset their password.
- Minimum Password Age – The Minimum Password Age setting establishes a time out period that effectively prevents a user from circumventing the password history requirement by changing their password over and over again until they are able to use their original password. Typically, organizations set the Minimum Password Age to at least one day, thereby preventing users from changing their password multiple times in the same day.
- Minimum Password Length – The Minimum Password Length setting determines the number of characters that must be included in the user’s password.
- Minimum Password Length Audit – This setting exists solely for the purposes of helping organizations to gauge the effect of imposing a minimum password length. When this setting is enabled (and its length exceeds the current minimum password length), Windows will generate an audit event.
- Password Must Meet Complexity Requirements – When enabled, this setting mandates that the password conform to certain complexity standards. The password cannot contain the user’s username or all or part of the user’s full name. Additionally, this setting requires that the user’s password be at least six characters long, and that it contain characters from at least three of four categories. These categories include uppercase characters, lowercase characters, numbers, and non alphabetic characters (keyboard symbols).
- Relax Minimum Password Length Limits – Early on, the Windows operating system capped the minimum password length at 14 characters. The Relax Minimum Password Length Limits setting allows organizations to exceed this limit and require longer passwords.
- Store Passwords Using Reversable Encryption – If enabled, this policy setting causes Windows to store passwords in a way that allows them to be decrypted. This setting should not normally be enabled, but can be useful if an organization is running legacy applications that require direct access to the password store.
These eight settings are undoubtedly useful for password policy enforcement. However, organizations that want more control over their password policies will require a third-party solution such as Specops Password Policy.
Specops Password Policy goes well beyond the Active Directory’s native password policy enforcement capabilities. It includes the ability for example, to block weak passwords by cross referencing user’s passwords with databases of passwords that are known to have been compromised.
Specops Password Policy is also designed to detect symbols that have been substituted for letters in common words, as well as commonly used password strings. Looking for character substitution and commonly used strings goes a long way toward eliminating weak passwords. Additionally, Specops Password Policy has built-in templates that organizations can use to simplify compliance with standards such as NIST, PCI, and SANS.