Lead Image © Nah Ting Feng, 123RF.com
Lithnet Password Protection for Active Directory
P@ssw0rdis@s3cr3t!
Multifactor authentication (MFA) is the state of the art for securing user accounts and has long been recognized as such, ultimately even by users who are less IT savvy, now that numerous online services offer or even enforce MFA procedures. One service that many users encounter on a daily basis, however, usually only supports the traditional method of username and password: The security of an Active Directory infrastructure is defined by user account passwords. The free Lithnet Password Protection for Active Directory (LPP) provides more flexible rules than would be possible with group policies alone and prevents the use of previously compromised passwords. In this article, I look into how to commission and use LPP.
Length vs. Complexity
What constitutes a secure password and how often it should be changed is hotly debated among IT security experts worldwide. The consensus is that complexity and length are the decisive factors. The German Federal Office for Information Security (BSI) compares the two factors in its guidelines [1]. For example, the BSI recommends a high level of complexity for short passwords with a length of only eight to 12 characters. This typically means using four character types, of which many users will be familiar: a mix of upper- and lowercase letters, numbers, and special characters. The recommendations also lower the complexity requirements as the length increases. A significantly longer password with 20 to 25 characters may only have to meet two of the four complexity requirements. Indeed, the US National Institute of Standards and Technology (NIST), in the 2021 update to password guidance determined that length, "character for character," was more important than complexity [2].
The computational effort required to crack a password increases
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
- New Report Exposes the Prevalence of Lame Passwords
-
Making Kerberoasting uneconomical
A method known as Kerberoasting is an exploitation technique of the Kerberos authentication protocol. We take a closer look at the available safeguards and detection measures against this attack. -
Manage Windows AD with PowerShell
PowerShell helpers let you automate searches in Active Directory and secure critical accounts. - New Password Rules Recommended by NIST
-
John the Ripper
Easy to remember but difficult to guess isn’t just a catchy phrase for choosing passwords, it’s the law of the Net. Learn how to check your password using a tool network intruders use every day: John the Ripper.