What do you use to define how long a password is in windows?

A strong password policy is any organization’s first line of defense against intruders. In Microsoft Active Directory, you can use Group Policy to enforce and control many different password requirements, such as complexity, length and lifetime.

TThe default domain password policy is located in the following Group Policy object (GPO): Computer configuration -> Policies -> Windows Settings ->Security Settings -> Account Policies -> Password Policy

Starting from Windows Server 2008 domain functional level, you can define fine-grained policies for different organizational units using the Active Directory Administrative Center (DSAC) or PowerShell. 

NIST password guidelines

The National Institute of Standards and Technology (NIST) offers Digital Identity Guidelines for a sound password policy, including the following recommendations:

Password complexity and length

Many organizations require passwords to include a variety of symbols, such as at least one number, both uppercase and lowercase letters, and one or more special characters. However, the benefit of these rules is not nearly as significant as expected, and they make passwords much harder for users to remember and type. 

Password length, on the other hand, has been found to be a primary factor in password strength. Accordingly, NIST recommends encouraging users to choose long passwords or passphrases of up to 64 characters (including spaces).

Password age

Previous NIST guidelines recommended forcing users to change passwords every 90 days (180 days for passphrases). However, changing passwords too often irritates users and usually makes them reuse old passwords or use simple patterns, which hurts your information security posture. While strategies to prevent password reuse can be implemented, users will still find creative ways around them.

Therefore, the current NIST recommendation on maximum password age is to ask employees to create a new password only in the case of a potential threat or suspected unauthorized access.

Passwords especially susceptible to brute force attacks

It’s wise to use discourage or prohibit the following passwords:

• Easy-to-guess passwords, especially the phrase "password"
• A string of numbers or letters like “1234” or “abcd”
• A string of characters appearing sequentially on the keyboard, like “@#$%^&”
• A user’s given name, the name of a spouse or partner, or other names
• The user’s phone number or license plate number, anybody’s birth date, or other information easily obtained about a user (e.g., address or alma mater)
• The same character typed multiple times like “zzzzzz”
• Words that can be found in a dictionary
• Default or suggested passwords, even if they seem strong
• Usernames or host names used as passwords
• Any of the above followed or preceded by a single digit
• Passwords that form pattern by incrementing a number or character at the beginning or end

Best practices for password policy

Administrators should be sure to:

• Configure a minimum password length.
• Enforce password history policy with at least 10 previous passwords remembered.
• Set a minimum password age of 3 days.
• Enable the setting that requires passwords to meet complexity requirements. This setting can be disabled for passphrases but it is not recommended.
• Reset local admin passwords every 180 days. This can be done with the free Netwrix Bulk Password Reset tool.
• Reset service account passwords once a year during maintenance.
• For domain admin accounts, use strong passphrases with a minimum of 15 characters.
• Track all password changes using a solution such as Netwrix Auditor for Active Directory.
• Create email notifications for password expiration. This can be done with the free Netwrix Password Expiration Notifier tool.
• Instead of editing the default settings in domain policy, it is recommended to create granular password policies and link them to specific organizational units.

Additional password and authentication best practices

• Enterprise applications must support authentication of individual user accounts, not groups.
• Enterprise applications must protect stored and transferred passwords with encryption to ensure hackers won’t crack them.
• Users (and applications) must not store passwords in clear text or in any easily reversible form, and must not transmit passwords in clear text over the network.
• Use multi-factor authentication (MFA) whenever possible to mitigate the security risks of stolen and mishandled passwords.
• When employees leave the organization, change the passwords for their accounts.
• Reduce user frustration and helpdesk workload by helping users choose new passwords that meet requirements, proactively reminding them of impending password expiration, and allowing them to change their password in a web browser.

User education 

In addition, be sure to educate your users about the following:

• It is vital to remember your password without writing it down somewhere, so choose a strong password or passphrase that you will easily remember. If you have a lot of different passwords, you can use a password management tool, but you must choose a strong master key and remember it.
• Be aware of how passwords are sent across the internet. URLs (web addresses) that begin with “https://” rather than “http://” are more likely to be secure for use of your password.
• If you suspect that someone else may know your current password, change it immediately.
• Don’t type your password while anyone is watching.
• Avoid using the same password for multiple websites containing sensitive information.

In complex environments, it is recommended to enforce granular password policies for both regular and privileged users so that IT administrators can quickly respond to new requirements and minimize the risks of compromises due to weak or stolen passwords. Netwrix Password Policy Enforcer software empowers admins to easily enforce strong password policies and significantly reduces policy management workload on tech staff. 

Regular audits also can help you ensure your password policies are protecting your systems against attacks. Events related to Windows Server password policy are recorded in the Security Event Log on the default domain controller. By reviewing these logs, system administrators can determine who made changes to password policy settings, and when and where (on what domain controller) each change happened. For additional important tips on auditing password policy GPOs, see the Active Directory Group Policy Auditing Quick Reference Guide.

However, native auditing tools won’t show you the most critical details, such as the name of the Group Policy object in which password policy was changed and the type of action that was performed. Moreover, it’s nearly impossible to understand which policies apply to which groups and identify discrepancies. For effective password policy management, you need software that provides more insight into password policy modifications, such as Netwrix Auditor for Active Directory.

Jul 17, 2019 (Last updated on April 4, 2022)

When it comes to making strong passwords, the single most important factor is the length of the password. As long as a password isn’t easily guessable by other means (e.g. use of common words, username, repeating characters) length is your best friend for mitigating brute force attacks.

Let’s consider passwords that only use lowercase letters. For an 8 character password, there are 268 possible passwords, which might seem like a large number.  And it is — 208,827,064,576 possible passwords – that’s 208 Billion. However, modern computers are exceedingly fast; a computer could churn through every possible password given these requirements in a few hours, a high-end multi-threaded machine might get that time-frame down to a few minutes or even a few seconds. To make the math easier, let’s say we have a really powerful computer that can churn through this list in exactly 1 minute.

Now consider if we added the traditional complexity rules and we now require one each of an uppercase letter, a lowercase letter, a digit, a number, and special character but leave our length requirement at 8. This means each character position could include any of 26 (uppercase) + 26 (lowercase) + 10 (digits) + 32 (special characters available as keys on a US English keyboard, excluding alt codes, etc.) == 94 characters. For an 8 character password, that adds up to 948 possible passwords, or 6,095,689,385,410,816 — ~29,000 times as many possibilities as the all-lowercase password. So a computer that can brute-force our 208 billion all-lowercase passwords in a minute would take just under 3 weeks to get through all the 8-character complex possibilities. Impressive, but still far from bulletproof.

We also must consider the reality: users are human. So while there are 948 possible passwords, the set of actual passwords that humans might choose is likely much smaller than that. How many of your users do you think have passwords that looks like this:

Abcdef1!

If the first character is always an uppercase letter, characters 2-6 are lowercase letters, then characters 7 and 8 are always 1 and ! (does that look familiar?) – that leaves just 266 possible words:

[A-Z][a-z][a-z][a-z][a-z][a-z]1!

(26)(26)(26)(26)(26)(1)(1) = 308,915,776

That’s 308 Million possible passwords – significantly worse than our all-lowercase password. That virtual supercomputer that could check 208 Billion passwords in 60 seconds would take under a tenth of a second to brute-force guess a password in this set.

Considering that forced complexity isn’t perfect in theory and is potentially even worse in practice, let’s see what just increasing the length does to our possible passwords:

We see as we increase from 11 to 12 characters we fly right by the maximum possible 8-character ’complex’ password that used all possible uppercase+lowercase+digit+special characters.

As we continue increasing length — a 16 character password has a massive number of possibilities. Look at it this way:  8 characters gives us 208 billion possibilities, which we theorized would take one minute to crack. 16 characters gives us 208 billion times 208 billion possibilities, or put another way: 208 billion minutes to crack. A bit more math on that:

208,827,064,576 minutes / 60 = 3,480,451,076 hours

145,018,795 hours / 24 = 145,018,795 days

145,018,795 / 365 = 397,312 years

Maximum password length

Your passwords have to get quite long before you run into any limitations in the Windows world: the maximum length of a password supported by Active Directory is 256 characters. The maximum length of a password that a human user could actually type to log into Windows in 127 characters (the limitation is in the Windows GUI).

127 is probably quite impractical for a user to type, but might be good for admin accounts where passwords are checked out and copied and pasted from a password vault. Service account passwords that are almost never typed and possibly rarely changed (if ever) could stand to be longer still.

Applications that use AD/LDAP for authentication may have their own limits, unfortunately they are sometimes much shorter than we would like. If you do have an upper limit imposed by a 3rd party application, Specops Password Policy can help there by enforcing a maximum password age in AD to prevent users from choosing passwords that would be unusable in other applications.

Minimum password length in Active Directory

Default domain policy / password policy

Typically configured either in your Default Domain GPO, or any other GPO linked directly at the root of the domain. You can set a maximum minimum length of 14 characters by this method (run a gpupdate on your PDC emulator for any changes to take effect).

You can also edit the minPwdLength attribute in ADSI edit directly:

Fine-grained password policies

For setting longer minimum length requirements for different sets of users, you can use Fine Grained Password Policies (FGPP). Beginning in Windows 2012, FGPP also supports minimum lengths longer than 14 characters.

Creating a FGPP used to involve going into ADSIEdit and manually creating a Password Settings Container object there. However with Windows Server 2016 Microsoft added the Active Directory Admin Center, which streamlines the process considerably.

If ADAC is not installed, add it using Roles & Features wizard, or from an admin PowerShell:

>install-windowsfeature RSAT-AD-AdminCenter

In ADAC, navigate to System -> Password Settings Container under your domain.

In the Tasks area to the right, New -> Password Settings.

Configure your desired rule set, as well as add users or groups to the ”Directly Applies To” section.

The maximum password length here can be go all the way up to 255 characters (though again, watch out for limitations on password fields. For example: Logon credentials for Windows services cannot exceed 251 characters).

Now to set a password that long, a ”programmatic” interface such as PowerShell is ideal.  Here’s an example (with the real password replaced by *s).

Long but easily guessed passwords – what to do

Now we have talked considerably about password length and why it’s important, but remember that’s not the entire story when it comes to modern password recommendations. A long password is a strong password, however it’s still not any good if it contains your username or other easily guessable words such as the name of the organization. If my password were ”SpecopsSoftware1!” it’s quite long, and that’s good. However if someone wanted to guess my Specops account password, this would be a fairly easy guess. Similarly, if I was allowed to chase a minimum length requirement with a repeating character — e.g.”Specops11111111” — that wouldn’t be much harder to guess than ”Specops1”

With Specops Password Policy, you can help ensure that your longer password length requirement isn’t entirely for naught. You can block common dictionary words – case insensitive, and with detection for common character substitution), detect and block repeating characters.  So ”SpecopsSoftware1!” would be blocked, as would ”Specops11111111” or even ”Sp3c0psS0ftw@re1!”

With Specops Breached Password Protection you can also block over 2 billion known leaked passwords. A long password is no good if it’s known to hackers.

Length-Based Password Aging

With Specops Password Policy 7.1 we introduced a new feature: length-based password aging. With this feature enabled, you can reward you users for selecting a longer password by extending the time until they’ll need to change their password again or even letting them keep that long password forever.

Check out this recent review of Specops Password Policy for more information about the product.