September 7, 2023

Standard Password Complexity Rules Just Don’t Cut It Anymore

Microsoft Active Directory has had password complexity requirements built-in for a long time. Most administrators are familiar with the standard settings. You can set a minimum length, and require complexity, which, in Microsoft’s eyes is that the password must contain at least three (3) of the following:

  • Uppercase letter
  • Lowercase letter
  • Number
  • Specical Character

The problem with this is that you can have some terrible passwords that meet or exceed these requirements. Let’s say you work at a fictional financial institution named “Bank of Mordor” and set a minimum length of ten (10) characters and require complexity...you can still (and probably do!) have users that will create passwords such as:

  • Password123
  • Summer2023
  • Bankofmordor1
  • Temp123456

Note that none of those have special characters...they aren’t required based on the standard complexity rules above. Even if your users remember their security awareness training and throw a special character (normally a “!”) on the end, it won’t help much. Many password lists will have variations on the above, and a brute force password cracker would break these within seconds.

So, what can be done? Unfortunately, there isn’t much available out of the box to combat this particular issue. Here are some suggestions:

  • Keep up security awareness training. Teach users that the way a password is made up can be just as important as meeting the requirement.
  • Encourage passphrases. Introducing even one space in a password can make a huge difference in work time to crack or guess a password. Something like “I like hotdogs!” is simple to remember and the number of variables makes it very difficult to crack.
  • Consider password “blacklisting”. This control (generally provided by a 3rd party bolt-on solution) allows you to disallow certain words or patterns in user-created passwords. If you integrate with Azure AD (now also known as Entra ID), there may be some functionality you can already leverage.

Authored by: Jeremy Johnson, OSCP, CISSP

You May Want to Read More:

YOU ARE 10-D’s BEST CLIENT(S) - WST

August 31, 2023

At 10-D, we appreciate you, our clients! We truly enjoy working with you and our partnership. To share some of the reasons we....

Everybody is talking about disclosure rules... - WST

August 24, 2023

The SEC recently adopted rules for disclosure regarding cyber incidents. These rules have been put into place to give...

Cloud Solutions - Vendor Management to Security Management - WST

August 17, 2023

Proper due diligence of your vendors is an important part of your information security program. When one of your vendors....

Keep your institution off the evening news.


Contact Us