11.7. Requiring Strong Passwords

Problem

You want to enforce the use of strong passwords for user accounts.

Solution

Using a graphical user interface

  1. Open the Group Policy Object Editor and target the Default Domain Policy.

  2. In the left pane, expand Computer Configuration Windows Settings Security Settings Account Policies Password Policy.

  3. In the right pane, double-click Password must meet complexity requirements.

  4. Make sure the box beside Define this policy setting is checked and Enabled is selected.

  5. Click OK.

This setting does not have any effect on users' current password. Password complexity is required only after each users' current passwords. For more on how to force users to change their password, see Recipe 6.21 in Active Directory Cookbook (O'Reilly).

Discussion

Most users, if given a choice, pick really simple, easy to remember passwords. No matter how tight the security is on your servers, if an attacker can crack a user's password, it is all for naught. To combat this, you can enable password complexity on the Default Domain GPO to require users to choose a password that meets the following criteria:

  • Not contain any part of the user's account name

  • Contain at least six characters

  • Contain characters from three of the following:

    • Uppercase

    • Lowercase

    • Digits

    • Special character (e.g., %(@!)

By enabling this, you can feel a little better that once a user changes his password, that it won't be something trivial (although passwords such as "Mypassword!" still pass the complexity test).

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.