Password Policy

In this lesson, we will study good password policies to have in place.

Require long passwords

It’s a good idea to set a Windows policy that requires a long password for domain accounts. There are two main reasons for this. The first is the math of cracking passwords given an NTLM password hash. In contrast to the recommended password hashing algorithms that we saw in Password Storage Done Right, (bcrypt, scrypt, Argon2, and PBKDF2), the NTLM password hashing algorithm does not have a work factor associated with it. This means that an attacker who gets access to an NTLM password hash will be able to attempt to brute force it with a huge number of attempts per second. The NTLM algorithm is not going away any time soon. So our only other defense against this attack is to use a longer password.

Another benefit from longer passwords relates to password storage from a long time ago. Before NTLM, Windows used a password hashing algorithm called LM. LM hashing hasn’t aged well and is quite susceptible to brute-forcing. Because of this, exposing an LM hash to an attacker (via Mimikatz, for example) should be considered equivalent to exposing a password to an ...