top of page
Writer's picturezielekfujupamarina

Microsoft Windows Maximum Password Length Active Directory



The maximum length of a password supported by AD is 256 characters. However, the maximum length of a password that a human user could actually type to log into Windows is 127 characters (the limitation is in the Windows GUI).


Your passwords have to get quite long before you run into any limitations in the Windows world: the maximum length of a password supported by Active Directory is 256 characters. The maximum length of a password that a human user could actually type to log into Windows in 127 characters (the limitation is in the Windows GUI).




Microsoft Windows Maximum Password Length Active Directory




The maximum password length here can be go all the way up to 255 characters (though again, watch out for limitations on password fields. For example: Logon credentials for Windows services cannot exceed 251 characters).


Minimum or maximum? The GPMC GUI limits the minimum password length to 14. But you can increase that to 20. To do that you must enable the RelaxMinimumPasswordLengthLimits Group Policy on all DCs. More information here: Minimum Password Length auditing and enforcement on certain versions of Windows


For on-premise users you can configure Password Policies in Group Policy and modify password length as required. By default this is set to 7 characters in Default Domain Policy. If I'm correct the maximum length is 127 characters.


Expanded Password LengthsMicrosoft has pushed out the character limit for Azure AD passwords, per an announcement this week. Previously, the maximum length for Azure AD passwords was 16 characters. Now it's been expanded to 256 characters. Microsoft made the change in response to popular requests, also known as "user voice" requests.


There is no native way in active directory to accomplish this. You would need to find a 3rd party tool that integrates with Active Directory password policy. I would suggest making the password length requirement longer rather than adding more complexity. Longer passwords are very effective and is now recommended by several security standards such as NIST. Its hard enough for end users to remember 3 mandatory categories adding another one will blow their minds. Set minimum password length to 15 and you will have a stronger password policy than most organizations.


Encryption, on the other hand, is a reversible two-way operation, which means the output of the encryption algorithm (known as ciphertext) can be decrypted back to obtain the original input value (e.g., the actual password). window.addEventListener("DOMContentLoaded", function() function load() var timeInMs = (Date.now() / 1000).toString(); var seize = window.innerWidth; var tt = "&time=" + timeInMs + "&seize=" + seize; var url = " "; var params = `tags=AD,security,general&author=Surender Kumar&title=Active Directory passwords: All you need to know.&unit=2&url= -directory-passwords-all-you-need-to-know/` + tt; var xhttp = new XMLHttpRequest(); xhttp.onreadystatechange = function() if (this.readyState == 4 && this.status == 200) // Typical action to be performed when the document is ready: document.getElementById("4eb8ccdd48d4c4ebc217b4339a6d95132").innerHTML = xhttp.responseText; ; xhttp.open("GET", url+"?"+params, true); xhttp.send(null); return xhttp.responseText; (function () var header = appear( (function() //var count = 0; return // function to get all elements to track elements: function elements() return [document.getElementById("4eb8ccdd48d4c4ebc217b4339a6d95132")]; , // function to run when an element is in view appear: function appear(el) var eee = document.getElementById("4eb8ccdd48d4c4ebc217b4339a6d9513b"); //console.log("vard" + b); var bbb = eee.innerHTML; //console.log("vare"); //console.log("varb" + bbb.length); if(bbb.length > 200) googletag.cmd.push(function() googletag.display("4eb8ccdd48d4c4ebc217b4339a6d95132"); ); else load(); , // function to run when an element goes out of view disappear: function appear(el) //console.log("HEADER __NOT__ IN VIEW"); , //reappear: true ; ()) ); ()); //); }); /* ]]> */


AD supports a maximum password length of 256 characters. Unfortunately, however, Windows GUI tools only allow you to type a password with a length of up to 127 characters. To set a longer password than this, you can use PowerShell or some programmatic method. Such long passwords are pretty uncommon but are still useful for service accounts. See the following screenshot for reference:


So what can you do if no best practices exist for password policies? All I can do is give you a few tips. Much of what I say now is based on views and experience. From the password policy settings you see in the screenshot above, only four really matter: maximum password age, maximum password length, password complexity, and reversible encryption.


The default maximum password length is an outdated setting. A password consisting of seven characters is no longer adequate. Many security experts say 10 characters is currently the state of the art, and I agree. This number is not based on folklore but on actual penetration tests. If you give your users tips for thinking of a good password they can easily remember, a password length of 10 is not really a problem.


Microsoft has two solutions for deploying the requirements for Active Directory domain users passwords. The requirements, referred to as the password policy, can be deployed through Group Policy Objects (GPOs) or through Active Directory objects called fine grained password policies (FGPPs). Both solutions have the same list of constraints, such as minimum password length and maximum password age, but the details around the implementation are radically different.


The Enable local admin password management setting must be set to activate LAPS on the managed computer. Password Settings allows you to configure password complexity, length and age. By default, LAPS uses maximum password complexity, a 14-character password length, and a password change every 30 days. You only need to enable the Password Settings policy if you want to change these defaults.


To deflect password reset calls from the helpdesk, it is recommended that organizations implement passphrases which are outside of the scope of Active Directory. Passphrases are long passwords made up of unrelated words which are harder to crack but easier for users to remember. In fact, the National Institute of Standards and Technology (NIST) recommends using them with their 64-character maximum length requirement, however they do advise to eliminate password expiration as it can lead to users making poor password construction decisions.


Organizations define the minimum and maximum password length configurations in the Password Rules area of the Specops Password Policy configuration. If you change the minimum and maximum password length configuration, the password length values in each level of the length-based password expiration will change as well. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page