Hey there! I'm trying to set the 'Minimum Password Length' to 16 characters in the Default Domain Policy. However, it looks like the Group Policy Management editor only allows me to set it to a maximum of 14 characters. I've stumbled upon a few potential solutions, one being using a PowerShell command like `Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.tld" -MinPasswordLength 14`. Another suggestion was to create Fine-Grained Password Policies. I'd love to know the best way to confidently set the Minimum Password Length to 16. Thanks!
5 Answers
I found a good resource that explains the challenges with the Minimum Password Length settings. The link goes over the nuances between Default Domain Policy and AD policies, which might help you understand your options better: https://4sysops.com/archives/minimum-password-length-default-domain-policy-versus-set-addefaultdomainpasswordpolicy/.
I'm in your camp for going to 16 characters. With the new NIST guidelines for non-MFA accounts, it’s becoming more necessary. Just make sure your users understand the concept of passphrases before implementing it!
Just a heads up, raising the password length might cause users to create workarounds, which could hurt security. Instead of stressing them out with long passwords, maybe consider a solution like DUO with reasonable lengths instead. It's often better to keep it simple and secure!
I'm not sure if the command really lets you set more than 14. Have you actually tried using the Group Policy Editor? Just keep in mind that while 14 is already high, 16 might still feel too demanding for some users.
Setting it to 16 characters is a solid plan! Keeping in mind that for Windows, anything longer than 14 is actually effective since NTLM hashes passwords in 14-character blocks. Just remember that anything beyond that can help in generating a stronger hash, which is crucial since many password tables are pre-cracked.
Exactly! Encouraging users to use 'passphrases' can help ease frustration while maintaining security. Also, consider shifting to Windows Hello for Business for even better management.
I hear you! Switching to the idea of 'passphrases' instead of traditional passwords can make a big difference. Something like 'PurpleFartingUnicorn27' is easier to remember and still secure!