Password must meet complexity requirementsID: oval:org.secpod.oval:def:85626 | Date: (C)2022-11-17 (M)2022-12-30 |
Class: COMPLIANCE | Family: windows |
This security setting determines whether passwords must meet complexity requirements.
If this policy is enabled, passwords must meet the following minimum requirements:
Not contain the users account name or parts of the users full name that exceed two consecutive characters
* Be at least six characters in length
* Contain characters from three of the following four categories:
* English uppercase characters (A through Z)
* English lowercase characters (a through z)
* Base 10 digits (0 through 9)
* Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.
Default:
Enabled on domain controllers.
Disabled on stand-alone servers.
Note: By default, member computers follow the configuration of their domain controllers.
Counter Measure:
Configure the Passwords must meet complexity requirements setting to Enabled and advise users to use a variety of characters in their passwords.
When combined with a Minimum password length of 8, this policy setting ensures that the number of different possibilities for a single password is so great that it will be difficult (but not impossible) for a brute force attack to succeed. (If the Minimum password length setting is increased, the average amount of time necessary for a successful attack also increases.)
Potential Impact:
If the default password complexity configuration is retained, additional help desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetic characters. However, all users should be able to comply with the complexity requirement with minimal difficulty.
If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper row characters. (Upper row characters are those that require you to hold down the SHIFT key and press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
Also, the use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in unhappy users and an extremely busy help desk. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128-0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
Fix:
(1) GPO: Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements
(2) REG: ###
(3) WMI: root\rsop\computer#RSOP_SecuritySettingBoolean#Setting#KeyName = PasswordComplexity And precedence=1
Platform: |
Microsoft Windows Server 2019 |