### Did you know... That Active Directory's [password policy](https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994562(v=ws.11)#reference) doesn't enforce four out of four character varieties? > The password must contain characters from three of the following categories: > - Uppercase letters of European languages (A through Z, including diacritic marks, Greek, and Cyrillic characters) > - Lowercase letters of European languages (a through z, sharp-s, including diacritic marks, Greek, and Cyrillic characters) > - Base 10 digits (0 through 9) > - Non-alphanumeric characters: !@#$%^&*_-+=\|(){}[]:;"'<>,.?/~ > - Any Unicode character categorized as alphabetic but not uppercase or lowercase, including characters from Asian languages. _Note: This 3-of-4 rule persists in all current on-premises Active Directory implementations (Windows Server 2016–2025). Microsoft's own Password Protection agent only functions in hybrid environments connected to Entra ID (Azure AD). For pure on-prem deployments, the legacy 3/4 rule remains the ceiling unless third-party solutions are introduced._ ### Password Policies Depending on other settings, such as password length, this isn't inherently a bad policy. However, enforcing only three of the four categories is not recommended. In practice, this means passwords like `Password!` or `password123!` are allowed. While `Password123!` would still pass if all four categories were enforced, that's a topic for another time. Most users tend to prefer shorter passwords that barely meet the requirements in order to avoid the hassle of creating longer, more complex ones. [xkcd](https://xkcd.com/936/) nailed it: we've forced users to use short, complex passwords that are difficult to remember but easy for computers to crack. There’s an ongoing debate about whether short, complex passwords are better than their longer, simpler counterparts. The answer likely lies somewhere in between. A longer, memorable password with some complexity works best. For example: `1Guitar#6Strings#DroppedC` The main issue remains: Active Directory, in its current state, doesn’t allow for more than three out of four character categories. ### Third Party Solutions * **PAID** - [Specops Password Policy](https://specopssoft.com/product/specops-password-policy/) allows system administrators to bypass Active Directory’s native password policies using Group Policies. It offers features like checking compromised passwords, banning certain words based on word lists or regex, and automating notifications when passwords are compromised. * **Open Source** - [Lithnet Password Protection](https://lithnet.io/products/password-protection) is similar to Specops Password Policy, but lacks some advanced features. Lithnet checks for compromised passwords using [Have I Been Pwned](https://haveibeenpwned.com) that's locally stored, and allows you to add custom word lists. It also supports regex-based banned word checks and provides a PowerShell module for automation. **Note:** I am not affiliated with any of these companies. ### That's it? Definitely not! This 3-out-of-4 rule isn't just a quirk; it's a vulnerability waiting to be exploited. It forces users into patterns that modern hash-cracking tools devour instantly. If an attacker exfiltrates your `NTDS.dit` file and runs `Hashcat` against it: * **The 3/4 Trap:** `Password!` satisfies the current policy (3 categories). Cracks in < 1 second. This is the expected weakness. * **The False Security Trap:** `Password1234!` satisfies a hypothetical 4-out-of-4 policy. Still cracks in < 5 seconds. Admins might say "we enforced complexity correctly!" But the password is still pattern-based, short, and predictable. **The policy guarantees compliance, not security.** A password can check every box and still be trivially broken. Complexity rules without length requirements are theater. To actually raise the cost of offline cracking, you need both entropy and length, neither is optional. ### What can we do? To improve password hygiene and assess vulnerabilities, you can perform your own password audits. * ___Password Cracking___: * [NetExec](https://www.netexec.wiki/) can be used to download NTLM hashes from a domain controller. * [Hashcat](https://hashcat.net/hashcat/) with a [wordlist](https://www.weakpass.com) and [hashcat rules](https://github.com/stealthsploit/OneRuleToRuleThemStill) for password cracking. * By analyzing cracked passwords, identify useful patterns—such as whether users include their organization's name or local sports teams—and cross-reference them against known leaked credential databases. * ___Specops___: offers a free, read-only [audit tool](https://specopssoft.com/product/specops-password-auditor/) to check for weak, reused, or compromised passwords. * ___Password Lockout___: Configure moderate lockout thresholds (e.g., 5 attempts / 15 min) to detect password spraying without causing denial-of-service via lockout storms. * ___Educate___: users on proper password hygiene, including the importance of not reusing passwords. Help them help us by clarifying IT policies and offering guidance. * ___Defense in Depth___: Layers upon layers of security. Implement 2FA, use password managers, perform regular audits and so on. * ___Be Patient and Supportive___: Some users may not have the same technical expertise, but scolding them won't help. A patient and supportive approach fosters better results. ### What's Next? Passwords protect the gate. But what happens when an attacker doesn't need to crack anything at all? They just ask for the key and listen for who answers. In the next post, we'll break down **LLMNR/NBT-NS Poisoning**: the "hello world" of lateral movement and credential exposure. We'll cover Responder workflows, NetNTLMv2 capture, and how to detect this in Defender for Identity logs. *Coming up:* `02_cp3` — Lab Module 1: Credential Exposure & LLMNR Poisoning.