Windows Server Cookbook for Windows Server 2003 and Windows 2000

Recipe 11.7. Requiring Strong Passwords

Problem

You want to enforce the use of strong passwords for user accounts.

Solution

Using a graphical user interface

1. Open the Group Policy Object Editor and target the Default Domain Policy.

2. In the left pane, expand Computer Configuration Windows Settings

   In the right pane, double-click Password must meet complexity requirements.

3. Make sure the box beside Define this policy setting is checked and Enabled is selected.

4. Click OK.

This setting does not have any effect on users' current password. Password complexity is required only after each users' current passwords. For more on how to force users to change their password, see Recipe 6.21 in Active Directory Cookbook (O'Reilly).

Discussion

Most users, if given a choice, pick really simple, easy to remember passwords. No matter how tight the security is on your servers, if an attacker can crack a user's password, it is all for naught. To combat this, you can enable password complexity on the Default Domain GPO to require users to choose a password that meets the following criteria:

• Not contain any part of the user's account name

• Contain at least six characters

• Contain characters from three of the following:

  - Uppercase

  - Lowercase

  - Digits

  - Special character (e.g., %(@!)

By enabling this, you can feel a little better that once a user changes his password, that it won't be something trivial (although passwords such as "Mypassword!" still pass the complexity test).

See Also

MS KB 225230 (Enabling Strong Password Functionality in Windows 2000)