Detections
Analytics
1.1.5 Ensure 'Password must meet complexity requirements' is set to 'Numbers and lowercase'
Information
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords.When this policy is enabled, passwords must meet the following minimum requirements:
Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least eight characters in length
Contain characters from following categories:
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as '!' or '@'. Proper use of the password settings can help make it difficult to mount a brute force attack.
Note: The enforcement of policies for Microsoft accounts happens on the server, and the server requires a password length of 8 and a complexity of 2. A complexity value of 3 or 4 is unsupported.
The recommended state for this setting is: Numbers and lowercase.
Rationale:
Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools.
Impact:
If the default password complexity configuration is retained, additional help desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetic characters. However, all users should be able to comply with the complexity requirement with minimal difficulty.
If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper row characters. (Upper row characters are those that require you to hold down the SHIFT key and press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
Also, the use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in unhappy users and an extremely busy help desk. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 0128 - 0159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Numbers and lowercase:Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Device restrictions)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Device restrictions/Password
Setting Name: Password
Configuration: Required
AND
Path: Device restrictions/Password
Setting Name: Password complexity
Configuration: Numbers and lowercase letters are required
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Note #2: This setting can also be created via the Settings Catalog via the following path:
Device Lock\Device Password Enabled\Alphanumeric Device Password Required
Default Value:
Enabled on domain members. Disabled on stand-alone workstations.
See Also
Item Details
Category: IDENTIFICATION AND AUTHENTICATION
References: 800-53|IA-5(1), CSCv7|4.4, CSCv7|16.2
Plugin: Windows
Control ID: d7ec8aed8a3c7706770c136dba875dfa372a1117cd654a735e041c559cf7d472