May 20, 2012, 6:00 PM — Both modern Windows systems (e.g., Windows Server 2008 and 2008 R2) and Active Directory, like Linux and Solaris systems, allow you to configure password policies that determine how long and complex your users’ passwords must be, providing a first line of defense for your systems. If your Unix systems authenticate to AD, then this is the place to specify your all of your password requirements. If Active Directory is only one of many places where password policies are configured, it's still a good idea to ensure that good passwords are used. Having similar complexity standards across the enterprise is a good strategy as it reinforces the importance of good passwords in keeping your systems secure.
Windows and Active Directory allow you to specify a number of parameters to enforce password security. The default values are listed in the table below.
Policy Setting Default Setting Value ============== ==================== Enforce password history 24 days Maximum password age 42 days Minimum password age 1 day Minimum password length 7 Password must meet complexity requirements Enabled Store passwords using reversible encryption Disabled Account lockout duration Not deﬁned Account lockout threshold 0 Reset account lockout counter after Not deﬁned Enforce user logon restrictions Enabled Maximum lifetime for service ticket 600 minutes Maximum lifetime for user ticket 10 hours Maximum lifetime for user ticket renewal 7 days Maximum tolerance for computer clock synchronization 5 minutes
Password history -- how many passwords will be remembered by the system. Using the default, none of the previous 24 passwords can be reused when a user changes his or her password.
Maximum password age -- how long a password can be used before it must be changed. If changed, this is typically set to something like 90 days. This would mean that your passwords must be changed every few months.
Minimum password age -- how long your users must wait before they can change a password again. If you users could change their passwords immediately and the system only remembered a few of the previous passwords, it would be easy for them to resurrect their current passwords, essentially using the same password forever. If you force them to use each new password for some number of days, the likelihood that they will return to using the original password is slim. If the wait were two days and ten passwords would be remembered, it would take 20 days to get back to the original password. By that time, even the cleverest of passwords will probably have lost its appeal.
The drawback of minimum password age policies is that your users won't be able to change their passwords right away even if they believe the passwords have been compromised.