Passwords in 2021 Recommendations from Foreign Companies and Microsoft GPOs Conclusions Introduction Nowadays companies are constantly improving cybersecurity policies and tools: building SIEM systems, strengthening network perimeters, parsing and examining network packets on the fly, monitoring security in real time. Security is becoming automated, open holes in software are being addressed. However, the fundamental aspects of security should not be forgotten. Password protection remains an open issue, and to this day there are vulnerabilities related to poor design.

Passwords in 2021

It’s not news for a long time that passwords are being replaced by more complex authentication methods: tokens, keys, biometrics… However, as a rule, these methods protect only the company’s critical infrastructure. For example, in development, test and staging servers are protected by passwords. For companies, authorization in the system of interagency electronic interaction and unified system of identification and authentication (USIA) is determined by a certificate and a code word (the same password).

If you do not take into account large infrastructures, then in medium-sized business documents and archives are protected by passwords. The small segment is not without it either: rarely can you see a 1C login with a token. And even Basic Auth of initial web server setup remains popular to this day. Microsoft’s statement about FIDO2 and “2021 without passwords” is too loud, considering that the corporation very often withdraws updates and patches to keep operating systems running. This technology will still be honed and will have to undergo a stern reality check.

As for private use, there is two-factor authentication, where a person is already physically connected to a phone number or network account, but this only makes it easier to change the password and gives deeper protection. At the forefront is again a bundle of login and password.

To be quite frank, not all organizations and individuals are keeping up with the times. Operating system usage statistics show that Windows 7, support for which ended back in early 2020, is still popular (just over 20% of all users use it).

The above arguments show that password protection is not dying, but is being strengthened with additional functions. It has become a permanent fixture in our lives. No alternative has yet been invented to replace it and erase the technology.

Recommendations from foreign organizations and Microsoft GPOs

Password security has long been an issue for businesses and their cybersecurity standards. Account passwords are often the weakest link in overall security for many organizations. For example, a large number of companies use Microsoft’s default password policy. Well, the “out-of-the-box” configuration of Windows is not so hopeless. You can compare it to the recommendations from foreign security agencies and see if the password policy is as well developed in the company as they recommend.

What is a password policy? It is a set of required parameters that users should be guided by when selecting their account password. Below is the default GPO domain policy password configuration in Windows Server 2019 with out-of-the-box values.

Figure 1: Group Password Policy

  • The password has an expiration date of 42 days.
  • The minimum “age” of a password is 1 day.
  • Previous password history – 24 records.
  • Minimum password length – 7 characters.
  • Password complexity requirement – enabled.
  • Keep recoverable passwords – disabled.

In turn, the U.S. National Institute of Standards and Technology (NIST) issued a special publication 800-63B, and section 5.1.1 “Memorized Secrets” of this Identification/Authentication and Lifecycle Manual already refers to 8 characters as the minimum length. NIST also insists that the system administrator (or DevOps, since this should be done automatically) should check for a password before setting it:

  • Presence in leaks and dictionaries with the most popular passwords. Presence of dictionary words (“angel”, “black”).
  • Presence of typical sequences and repeating symbols (“aaa11”, “abcd”).
  • The presence of derivatives from the name, profession, etc. (“buh12”).
  • Any other sequences that can be easily compromised.

As for PINs, NIST recommends using at least 6 digits – which can be used as an example for many services that use 4-digit codes (for example, Microsoft for logging into Windows 10).

Another section of the NIST guide, concerning obligatory changing the password at certain intervals, says that verifiers do not need to demand periodic changes to the remembered password, but they are obliged to forcibly change it, if there is evidence that it has been compromised.

The NIST guidelines are passively recommended by Microsoft. The Basic Security Plan for Windows 10 v1903 and Windows Server 2019 v1903 notes the following: “Recent academic research questions the value of many older password protection methods, such as password expiration policies, and instead points to more effective alternatives, such as enforcing forbidden password lists (Azure AD password protection is an excellent example) and multi-factor authentication. While we recommend these alternatives, they cannot be enforced with our recommended basic security configuration settings, which are based on built-in Windows Group Policy settings.”

These Microsoft recommendations point to the inadequacies of Active Directory’s group policy capabilities. There are no built-in tools where you can put dictionaries of unacceptable passwords in the organization. At the same time, the guide describes the process of developing and registering a DLL – that is, you can add your own “password filter”, but you will have to develop or order one, which increases the cost of protection.Regarding password length: Microsoft in Windows Server 2019 considers a seven-digit minimum password length to be sufficient, which does not meet any of the recommendations that they would consider:

  • SANS Institute – 12 characters.
  • NIST – 8 characters.
  • Microsoft TechNet – 14 characters.
  • Microsoft Research – 8 characters.

Protective Measures The Organization Password Protection Policy has become a universal document that is required in almost any case where regulators and inspecting agencies are on the horizon – and for good reason.

This document should not only be downloaded and read, but also carefully worked through and then trigger the application of its requirements to production processes. After all, every pentester knows the price of a weak password.

Any pentester training ground that resembles a real organization’s network (for example, Pentestit) never misses an opportunity to show that it is possible to break into servers by brute-forcing a password.

Hence, the task of DevOps (DevSecOps), IS specialists or sysadmins is not to overlook this fact and to prepare properly.

For Microsoft AD, you can use third party software such as Specops Password Auditor, nFront Password Filter, ManageEngine or Anixis. If much desire, as mentioned above, you can replace passfilt.dll with commercial projects or write your own library, as Yelp did. One option is to use the online service Pwned Passwords: there are a large number of projects built on its API for various purposes. You can also make it a part of your password policy to require that you use this service to verify your password beforehand.

Hardware and software setup plays a big role in cybersecurity. Don’t hope that everything is already set up for you. A rule of thumb should be to take: “the default is insecure.” Microsoft’s GPO configuration is not the only one that is “lame on that leg”. Any bunch of login with a complex password will be more secure than a 4-digit PIN coming to the phone with the ability to enter it a countless number of times, as it was on Cisco ASA.

Real-time assessment of what’s going on will also benefit any administrator. 20 years ago a simple 4-6 character password was enough; today at least 8 characters, using different registers and all kinds of additional characters is the norm. The world has become more dynamic and it needs to adapt faster and faster.

Every security system should be configured to be unbreakable. This rule also applies to passwords. > An overview of commercial applications for two-factor and two-step authentication (2FA, 2SV)


From the above we can conclude that the password protection was and is still necessary. Its “death” is out of the question for the time being. There is a reason for the recommendations to specify the criteria for setting and testing passwords “for strength”.

It is also worth mentioning that Microsoft, whose software is the basis for many enterprise information systems in the world, bets a lot on FIDO and abandoning passwords in favor of other protections.

Similar Posts