Lithnet Password Protection for Active Directory
P@ssw0rdis@s3cr3t!
Multifactor authentication (MFA) is the state of the art for securing user accounts and has long been recognized as such, ultimately even by users who are less IT savvy, now that numerous online services offer or even enforce MFA procedures. One service that many users encounter on a daily basis, however, usually only supports the traditional method of username and password: The security of an Active Directory infrastructure is defined by user account passwords. The free Lithnet Password Protection for Active Directory (LPP) provides more flexible rules than would be possible with group policies alone and prevents the use of previously compromised passwords. In this article, I look into how to commission and use LPP.
Length vs. Complexity
What constitutes a secure password and how often it should be changed is hotly debated among IT security experts worldwide. The consensus is that complexity and length are the decisive factors. The German Federal Office for Information Security (BSI) compares the two factors in its guidelines [1]. For example, the BSI recommends a high level of complexity for short passwords with a length of only eight to 12 characters. This typically means using four character types, of which many users will be familiar: a mix of upper- and lowercase letters, numbers, and special characters. The recommendations also lower the complexity requirements as the length increases. A significantly longer password with 20 to 25 characters may only have to meet two of the four complexity requirements. Indeed, the US National Institute of Standards and Technology (NIST), in the 2021 update to password guidance determined that length, "character for character," was more important than complexity [2].
The computational effort required to crack a password increases exponentially with password length. From 15 to 20 characters, cracking is no longer possible in a finite amount of time – or at least not with today's technology. However, length alone is not helpful if a password is susceptible to dictionary attacks or is found on a list of already compromised passwords. A certain degree of complexity is therefore advisable even for longer passphrases. The 18-character password from the title of this article, for example, would require a computer about 7 quadrillion years to crack, according to the How Secure is My Password site [3] (Figure 1).
Inflexible Group Policies
The onboard tools that Microsoft provides with Active Directory (AD) in group policies are not the best fit for implementing the previous considerations. The default settings for password security can be found in the Group Policy Object (GPO) of the Computer Configuration | Policies | Windows Settings | Security Settings | Password Policies | Default Domain Policy . A freshly installed domain controller on Windows Server 2022 sets the maximum password age to 42 days. In recent publications, the BSI and NIST, on the other hand, abandoned recommending a regular password change. Therefore, you can decide for yourself whether to extend this period or just abolish it.
If you prefer a periodic change, the Default Domain Policy still defines a minimum password age of one day. This setting is intended to prevent resourceful users from changing their password several times in quick succession to restore the original value. The system actively prevents this by storing a history of the last 24 passwords used for each user.
The settings of the group policies in terms of complexity and length prove to be fairly inflexible. With Windows Server 2022, Microsoft sets the length to at least 7 characters out of the box and additionally enables the Password must meet complexity requirements setting, which ensures that passwords must contain three out of four possible character types – uppercase letters, lowercase letters, numbers, and symbols. A variable system that rewards people who use particularly long passwords with fewer complexity requirements is not something that Group Policy can inherently implement. However, the Microsoft password filters do offer third-party providers an interface for retrofitting functions [4].
Safer with Lithnet
Open source and free of charge, LPP docks onto the Group Policy interface when installed on domain controllers [5]. LPP comes with settings that relate complexity to password length, and it also compares passwords on demand against an admin-maintained list of blocked words, as well as the database of the Have I been pwned? (HIBP) service [6]. (The word "pwned" is a corruption of the term "owned.") HIBP answers the question of whether a particular password is already on lists of stolen access data circulating on the Internet.
To configure LPP, you can use group policies. The password database is local, so the whole thing works without online access. Neither passwords nor hash values leave your internal network. The prerequisite for checking passwords against the HIBP list is that you first download and extract them in NTLM format (ordered by hash). This process takes a while because the list is 8.5GB packed and expands to 20GB unpacked. However, you only need this space temporarily. As soon as you import the list into LPP's file-based database format, the space requirement drops again to 6GB.
Buy this article as PDF
(incl. VAT)