Update Active Directory Password policies to align with new NIST guidelines
Now that the new NIST 800-63B guidelines are coming together, can Active Directory be updated to follow some of the guidance in here? Specifically allowing for blacklists of breached or otherwise bad passwords, potentially allowing for a salt to be added to AD password hashes, and rate throttling instead of just account lockout?
Absolutely need this as core functionality in AD - we're forced to find a third party password filter system to inject itself between our users (on and off prem) and AD.
Jesper Neumann commented
In a paper by Microsoft, they claim that banning common passwords one of the most important steps for securing an environment. It would be nice if Active Directory could provide a way for us to enforce that.
Rubber Chicken commented
With reference to the world famous “correct horse battery staple” principle I want to try to achieve this.
The problem I’m facing is that I want a mixture of all the features that exist, but not all of them enforced.
I want to enable “Passwords must meet complexity requirements” to ensure passwords don’t contain the username, etc., but I don’t want to enforce the upper/lower/special characters shenanigans. That isn’t useful for humans. I want each of these items to be broken out and individually configurable.
I also want to have a dictionary of bad passwords. I don’t want people to use “correct horse battery staple” as an ironic password, nor Password1!, nor largely repeated passords (Password1!,Password2! etc) Passfilt.dll seems to almost get there but isn’t easily user accessible or otherwise supportable.