Detections
Analytics
1.1.4 Ensure 'Minimum password length' is set to '14 or more characters'
Information
This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps 'passphrase' is a better term than 'password.' In Microsoft Windows 2000 and newer, passphrases can be quite long and can include spaces. Therefore, a phrase such as 'I want to drink a $5 milkshake' is a valid passphrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements.Note: All recommendations in Section 1.1 (Password Policy) are only applied to Local and Microsoft accounts and not Domain accounts. For more information, please see the references section below.
The recommended state for this setting is: 14 or more characters.
Rationale:
Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.
Impact:
Requirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and due to the larger number of character combinations, much harder to discover.
Warning: If Windows Hello for Business is used, an exception to this recommendation might be needed as a PIN length of 14 could be considered unrealistic.
Warning: Windows Autopilot - Policy Conflicts: The out-of-box experience (OOBE) or user desktop auto logon can fail when a device reboots during the device Enrollment Status Page (ESP). This failure can occur when certain DeviceLock policies are applied to a device. An exception to this recommendation might be needed is Windows AutoPilot is used.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Required and 14 or more characters:To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Device restrictions)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Device restrictions/Password
Setting Name: Password
Configuration: Required
AND
Path: Device restrictions/Password
Setting Name: Minimum password length
Configuration: 14
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2: This setting can also be created via a Custom Configuration Profile using the following OMA-URI:
./Device/Vendor/MSFT/Policy/Config/DeviceLock/MinDevicePasswordLength
Note #3: This setting can also be created via the Settings Catalog via the following path:
Device Lock\Device Password Enabled\Min Device Password Length
Default Value:
7 characters on domain members. 0 characters on stand-alone servers.
See Also
Item Details
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1), CSCv7|4.4, CSCv7|16.2
Plugin: Windows
Control ID: 3c2e805e3e5aecd9ae923c4d6291973a4f34d9078be96fc28a16ec768c968e26