Drawbacks of Active Directory Password Policy

Drawbacks of Active Directory Password Policy

Microsoft Password Policy: 3 Crippling Drawbacks 

Password Policy ensures that a user password is strong and is changed in a periodic manner so that it becomes highly impossible for an attacker to crack the password. If you are in the process of implementing a password policy, or are looking for a way to ensure that your user accounts and critical data are as secure as possible, you need to be aware of the following common password policy pitfalls.

Short Password Expiry Cycles 

In order to keep systems secure, many companies force their users to change their passwords on a regular basis – usually every 90 days. While this is a good idea, some take it a bit too far, for example forcing employees to change passwords biweekly.
This may seem like a good idea, but all it does is encourage users to pick easy to remember passwords. And, any password that is easy to remember is likely easy to guess. 

No account lock-out rule   

While password complexity is a common focus of password policies, that’s probably not the most effective to prevent brute force attacks. Some experts say that it’s more important to require accounts to lock after a certain number of failed log-in attempts.
 
It’s important to find the right balance among a few different factors, including the sensitivity of the account, how likely authorized users are to enter the wrong password, and how much of hassle it is to fix the situation when users get locked out. 

Dated password complexity requirements   

Companies often mandate complex passwords and enforce requirements when they can. The problem is, it’s usually easy to meet requirements with a password that isn’t complex at all. For example, if a password must use a capital letter and a number, many users would pick “Password1.”
 
And as hackers get better at cracking passwords, what was once critical for password security is becoming less important. Many password policies require the use of punctuation marks and other special characters, and IT often recommends users take words and phrases and replace some letters with those symbols. However, hackers are catching on to those tactics and they can now be accounted for in password-cracking algorithms.

    • Related Articles

    • Password Policy

      Password Policy ensures that a user password is strong and is changed in a periodic manner so that it becomes highly impossible for an attacker to crack the password. To edit Password Policy settings: Go to Start Menu → Administrative Tools → Group ...

    • Active Directory Password Policy Best Practices

      Active Directory Password Policies: NIST Recommended Best Practices End-user passwords are one of the weakest components of your overall security protocols. Most users tend to reuse passwords across work and personal accounts. In Microsoft Active ...

    • Using Fine Grained Password Policy to exclude a single Active Directory Account from being Locked Out

      How to Exclude a Single User from Account Lockout Policy in Active Directory The Fine-Grained Password Policy is a feature that is available on Windows Server 2008 and later versions, which is used to overcome the limitations faced while using the ...

    • Group Policy

      In a nutshell, a Group Policy is a collection of settings, which determine how a unit of users/computers should behave. The Two Types of Group Policies: Administrators can use Group Policies to enforce a set of configuration settings to both the ...

    • How to Change Account Lockout Policy using Group Policy Objects in Active Directory

      Changing the Active Directory Account Lockout Policy  Introduction to Active Directory Account Lockout Policy Account lockout policies are used by IT administrators to lock out an Active Directory account after multiple unsuccessful attempts. It is ...