Password Policy
It’s a good idea to set a Windows policy that requires a long password for domain accounts. There are two main reasons for this. The first is the math of cracking passwords given an NTLM password hash. In contrast to the recommended password hashing algorithms that we saw in Password Storage Done Right (bcrypt, scrypt, Argon2, and PBKDF2), the NTLM password hashing algorithm does not have a work factor associated with it. This means that an attacker who gets access to an NTLM password hash will be able to attempt to brute force it with a huge number of attempts per second. The NTLM algorithm is not going away any time soon. So our only other defense against this attack is to use a longer password.
Another benefit from longer ...
Get Practical Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
