Configuring password complexity in Windows and Active Directory

Gerd Altmann (CC0)

Both modern Windows systems (e.g., Windows Server 2008 and 2008 R2) and Active Directory, like Linux and Solaris systems, allow you to configure password policies that determine how long and complex your users’ passwords must be, providing a first line of defense for your systems. If your Unix systems authenticate to AD, then this is the place to specify your all of your password requirements. If Active Directory is only one of many places where password policies are configured, it's still a good idea to ensure that good passwords are used. Having similar complexity standards across the enterprise is a good strategy as it reinforces the importance of good passwords in keeping your systems secure.

Windows and Active Directory allow you to specify a number of parameters to enforce password security. The default values are listed in the table below.

Policy Setting 					        Default Setting Value
==============		                                ====================
Enforce password history 				24 days
Maximum password age 					42 days
Minimum password age 					1 day
Minimum password length 				7
Password must meet complexity requirements 		Enabled
Store passwords using reversible encryption 		Disabled
Account lockout duration 				Not defined
Account lockout threshold 				0
Reset account lockout counter after 			Not defined
Enforce user logon restrictions 			Enabled
Maximum lifetime for service ticket 			600 minutes
Maximum lifetime for user ticket 			10 hours
Maximum lifetime for user ticket renewal 		7 days
Maximum tolerance for computer clock synchronization	5 minutes

Password history -- how many passwords will be remembered by the system. Using the default, none of the previous 24 passwords can be reused when a user changes his or her password.

Maximum password age -- how long a password can be used before it must be changed. If changed, this is typically set to something like 90 days. This would mean that your passwords must be changed every few months.

Minimum password age -- how long your users must wait before they can change a password again. If you users could change their passwords immediately and the system only remembered a few of the previous passwords, it would be easy for them to resurrect their current passwords, essentially using the same password forever. If you force them to use each new password for some number of days, the likelihood that they will return to using the original password is slim. If the wait were two days and ten passwords would be remembered, it would take 20 days to get back to the original password. By that time, even the cleverest of passwords will probably have lost its appeal.

The drawback of minimum password age policies is that your users won't be able to change their passwords right away even if they believe the passwords have been compromised. You should keep this in mind if you choose this option and make sure a hotline is available for emergency password changes.

Password complexity requirements -- incorporates a number of requirements that are configured separately on Linux and Solaris systems. If this setting is enabled -- as it is by default, passwords must be at least six characters long and must contain characters from three of the following: uppercase characters, lowercase characters, digits (0-9), special characters (e.g.,!, #, $), and unicode characters. In addition, the password must not contain more than two characters from the username (provided the username is three or more characters long).

Minimum password length -- how many characters must be included in users' passwords. While this defaults to 7, something between 8 and 12 is a better choice. Your users are likely to balk at having to remember an additional four characters, so be ready to offer some suggestions on how to make longer passwords memorable, such as adding a couple digits to each end, prepending passwords with their best friend's birthday (e.g., 0323) or setting passwords to be a short phrase like "want2goHome!". Remind them that writing down their passwords is always a very bad idea, but writing down something that reminds them of their passwords might be OK, especially if they don't make it obvious that it's a password that they're trying to remember.

Account lockout duration -- how many minutes a locked-out accounts remains locked out before becoming unlocked. If set to 0, however, a password remains locked until an admin (someone authorized to make these kind of changes) unlocks it. This setting is dependent, however, on the account lockout threshold. In other words, if you don't specify that accounts will be locked after some number of failed attempts to log in, there's no significance to specifying how long they'll be locked.

Account lockout threshold -- the number of consecutive failed login attempts that will cause an account to be locked. If set to 0 (the default), accounts are never locked.

The only drawback of the account lockout threshold setting is that it makes it possible for a user to lock out some other user's account.

Reset account lockout counter after -- how many minutes must elapse before a lockout counter is reset to 0 (i.e., the account is unlocked). This can range from 1 minute to 99,999. It must be less than or equal to the account lockout duration.

Enforce user logon restrictions -- whether the Kerberos Key Distribution Center validates every request for a session ticket against the user rights policy on a particular computer.

Maximum lifetime for service ticket -- maximum time that a session ticket can be used. This means that the authentication system underlying Windows (Kerberos) must revalidate a connection at the specified interval.

Maximum lifetime for user ticket -- maximum time that a user's ticket granting ticket may be used. After that time (default 10 hours) has passed, it must be renewed.

Maximum lifetime for user ticket renewal -- defines the time period within which a ticket can be used for and renewed.

Maximum tolerance for computer clock synchronization -- defines the maximum time difference that is allowed between the time on the client's clock and the domain controller. It is meant to prevent what are called "replay attacks" in which a valid data transmission is maliciously or fraudulently repeated or delayed.

The default settings for passwords on Windows and Active Directory are quite reasonable, though I would change the 7-character minimum password length to something higher. While the lockout features make the success of brute force password attacks highly unlikely -- if this is set and it is not by default, setting users' expectations that password should be longer than 8 characters is likely to improve the security of other accounts they use.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.

IT Salary Survey: The results are in