phn0me

I try to save a life a day. Usually it’s my own.

2 minute read

Did you know…

That Active Directory’s password policy doesn’t enforce four out of four character varieties?

The password must contain characters from three of the following categories:

  • Uppercase letters of European languages (A through Z, including diacritic marks, Greek, and Cyrillic characters)
  • Lowercase letters of European languages (a through z, sharp-s, including diacritic marks, Greek, and Cyrillic characters)
  • Base 10 digits (0 through 9)
  • Non-alphanumeric characters: !@#$%^&*_-+=|(){}[]:;”’<>,.?/~
  • Any Unicode character categorized as alphabetic but not uppercase or lowercase, including characters from Asian languages.

Password Policies

Depending on other settings, such as password length, this isn’t inherently a bad policy. However, enforcing only three of the four categories is not recommended.

In practice, this means passwords like Password! or password123! are allowed. While Password123! would still pass if all four categories were enforced, that’s a topic for another time.

Most users tend to prefer shorter passwords that barely meet the requirements in order to avoid the hassle of creating longer, more complex ones.

xkcd nailed it: we’ve forced users to use short, complex passwords that are difficult to remember but easy for computers to crack.

There’s an ongoing debate about whether short, complex passwords are better than their longer, simpler counterparts. The answer likely lies somewhere in between.

A longer, memorable password with some complexity works best. For example:

1Guitar#6Strings#DroppedC

These are the kinds of passwords I’ve found most effective: Complex enough to thwart brute-force attacks, yet easy to remember and not too difficult to type.

The main issue remains: Active Directory, in its current state, doesn’t allow for more than three out of four character categories.

Third Party Solutions

  • PAID - Specops Password Policy allows system administrators to bypass Active Directory’s native password policies using Group Policies. It offers features like checking compromised passwords, banning certain words based on word lists or regex, and automating notifications when passwords are compromised.

  • Open Source - Lithnet Password Protection is similar to Specops Password Policy, but lacks some advanced features. Lithnet checks for compromised passwords using Have I Been Pwned thats locally stored, and allows you to add custom word lists. It also supports regex-based banned word checks and provides a PowerShell module for automation.

Note: I am not affiliated with any of these companies.

That’s it?

Definitely not!

Assuming a threat actor has gained internal access to hashed passwords for offline cracking, the password’s complexity becomes irrelevant. Once compromised, the hash can be cracked instantly, regardless of length or complexity.

But, of course, users never reuse their passwords, right?

What can we do?

To improve password hygiene and assess vulnerabilities, you can perform your own password audits.

  • Password Cracking
    • CrackMapExec can be used to download NTLM hashes from a domain controller.
    • Hashcat with a wordlist and hashcat rules for password cracking.
    • By analyzing cracked passwords, you can identify useful patterns—such as whether users include their organization’s name or the local sports team in their passwords.
  • Specops offers a free, read-only audit tool to check for weak, reused, or compromised passwords.
  • Educate users on proper password hygiene, including the importance of not reusing passwords. Help them help us by clarifying IT policies and offering guidance.
  • Defense in Depth: Layers upon layers of security. Implement 2FA, use password managers, perform regular audits and so on.
  • Be Patient and Supportive: Some users may not have the same technical expertise, but scolding them won’t help. A patient and supportive approach fosters better results.

Categories:

Updated:

You May Also Enjoy