SF101 Password Policies - ITPro

Password Policy

An effective password policy enforces complexity requirements, such as including uppercase letters, lowercase letters, numbers, and special characters, and prohibiting common dictionary words, names, or other guessable strings.

A more complex password is more resistant to common password attacks.

Password Policy Elements

Effective policies usually include the following elements:

  1. Password Complexity: Requiring a use of a combinations of character sets (uppercase, lowercase, numbers, special characters).
  2. Password Length: Specifying a minimum or maximum password length.
  3. Password History: Preventing the reuse of previous passwords.
  4. Password Expiration: Requiring periodic password changes.
  5. Account Lockout: Locking out an account after a specified number of failed login attempts.

These all work together to make secure passwords that are less vulnerable to compromise.

Implementing Password Policies

These password policies can be implemented at a local machine level and a domain/enterprise level.

  • Local Password Policies: Configured on an individual system using the Local Security Policy editor.
  • Domain Password Policies: Centrally managed and applied to all users within an Active Directory domain.

Typically enterprises use centralized password policies in a domain environment, because they are consistent and easier to manage.

Password Attacks

  1. Dictionary Attacks: Using a pre-compiled list of common words, phrases, or personal information to guess a password.
  2. Brute-Force Attacks: Systematically trying every possible character combination to guess the password.
  3. Rainbow Table Attacks: Precomputing hashed values of common passwords to compare against stored hashes.
  4. Phishing Attacks: Using deception to trick users into revealing their login credentials.