The more they overthink the plumbing…

Password Complexity in Active Directory

Password complexity seems to be an often misunderstood aspect of password security in a Windows Active Directory environment. To be sure, Microsoft itself has at times been vague about how complex passwords are defined, and many websites and books (even from authors that represent Microsoft) are filled with erroneous or unclear information. Even Microsoft’s own TechNet article on the subject, which I presume to be authoritative, muddies the waters by allowing community comments that are flatly contradictory to the article’s text. In light of the confusion, I am going to reiterate what Microsoft says in the above link, but I’m going to try to make it very clear.

1. Complex passwords cannot contain any token of at least three characters from the user’s Account Name (samAccountName attribute) or the user’s Full Name (displayName attribute).

Perhaps you can see why this is a little confusing. Let’s break it down.

  • The user’s Account Name is parsed for delimiters such as periods, commas, hyphens, and spaces. Any characters that fall between delimiters are broken out into separate tokens. If a token is fewer than three characters long it is ignored. These checks are not case sensitive. For example, if the user’s Account Name is d.wartick, the password cannot contain the string “wartick” in any case anywhere within. The single “d” is ignored because it doesn’t result in a token of at least three characters. If the user’s entire Account Name is fewer than three characters long this check is skipped.
  • The user’s Full Name is parsed for delimiters and tokenized; tokens smaller than three characters are ignored. For example, if the user’s Full Name is Dan G. Wartick the resulting tokens will be the strings “dan” and “wartick”. The password cannot contain these strings in any case anywhere within. The middle initial is ignored because it has fewer than three characters.
  • One frequently recurring piece of ambiguity is that the password cannot contain any part of the user’s Full Name that is at least three characters long. This statement is true only if you understand “part” to mean “token” and you know what a token is. It is not true that any three consecutive characters from the Account Name or Full Name are off limits. For example, our user Dan Wartick could have a password that included the string “arti” or “war”, but not one that included “dan”. Only the entire token is tested (if it is long enough), not every grouping of three or more characters, as is implied in the above statement.

2. Complex passwords must contain characters from three of the five following categories:

  • Uppercase characters [A-Z]
  • Lowercase characters [a-z]
  • Numeral digits [0-9]
  • Non-alphanumeric characters (e.g.: @, ^, ?, -, &c.)
  • Unicode characters from other character sets (e.g.: ポ, タ, メ, &c.)

The second common fallacy that is practically ubiquitous on the Internet is that there are four character categories from which complex passwords may be drawn. Microsoft says there are five, and includes non-ASCII Unicode character sets within that list. Therefore, the password moチメボ26 would be perfectly valid. While Microsoft has, itself, perpetuated this belief in the past, they have recently set about clarifying this in older TechNet articles.. However, if you don’t own an exotic keyboard, it probably doesn’t mean much to you anyway.

3. Complex passwords have no minimum length.

It’s often falsely stated that complex passwords have some required length of seven or eight characters. Password length is defined by the Minimum Password Length policy and has nothing to do with complexity. By default, the domain password policy requires a minimum of seven characters in a password and that passwords be complex, but these are separate configurations.

Why This Matters

Complex passwords are much less susceptible to brute-force attacks than simple passwords. Running the numbers through the computational engine at WolframAlpha we can see that, assuming a brute-force attempt of 100,000 passwords per second, it will take a while to hit upon the right combination of characters in a complex password.


Since longer, more complex passwords are more difficult to discover, a solid password policy can go far in helping to secure network resources in an Active Directory domain. As you can see in the above table, Microsoft’s default password settings are a reasonable starting point for such a policy.

Be seeing you.

One thought on “The more they overthink the plumbing…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s