Enhance Password Policies in Group Policy
I would like to see improved password policies to enable administrators to restrict some of the most common abuses of password policy. The main things I would like to see are:
- Specifiy minimum number of changed characters vs previous password (eg to prevent just incrementing a number)
- Ability to blacklist common bad passwords including wildcard support
- Ability to control which complexity requirements are required rather than only having a single complexity option defined by Microsoft.
Jesper Neumann commented
In a paper by Microsoft, they claim that banning common passwords one of the most important steps for securing an environment. It would be nice if Active Directory natively could provide a way for us to enforce that.
Rubber Chicken commented
With reference to the world famous “correct horse battery staple” principle I want to try to achieve this.
The problem I’m facing is that I want a mixture of all the features that exist, but not all of them enforced.
I want to enable “Passwords must meet complexity requirements” to ensure passwords don’t contain the username, etc., but I don’t want to enforce the upper/lower/special characters shenanigans. That isn’t useful for humans. I want each of these items to be broken out and individually configurable.
I also want to have a dictionary of bad passwords. I don’t want people to use “correct horse battery staple” as an ironic password, nor Password1!, nor largely repeated passords (Password1!,Password2! etc) Passfilt.dll seems to almost get there but isn’t easily user accessible or otherwise supportable.
Kirill Nikolaev commented
Another very important option to enhance is password size - right now we are unable to set minimum password size greater than 14 symbols (LM compatibility, obviously). But using password of 15 symbols and longer is very effective way to prevent LM hash generation. We should be able set minimum required size greater than 14 symbols.
Andrew T commented
I agree these would be nice to see in the OS
FYI there is an ability for 3rd parties to develop their own password policies through the password filter functionality - https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx