Windows Password Guidelines: Updated Best Practices for 2024

By John Gates

January 25th, 2024

Setting and enforcing a policy for strong passwords should be a top priority for organizations in their cyber hygiene practice. Best practices and recommendations keep being updated since this issue is so critical for attack prevention. In fact, compromised passwords are responsible for 81% of successful attacks.

Changing passwords setting configuration is part of the hardening task. Making sure all machines are configured correctly and that nothing breaks because of the configuration change, makes this task very complex. Many organizations do not change password configuration due to these challenges, resulting in an increased attack surface. To overcome these challenges, we recommend using hardening automation tools. These tools will let you know the impact of each change and will automatically enforce your desired settings on your production.

This guide will screen the recommendations of two cyber industry best practices publishers - the Center for Internet Security (CIS) password setting recommendations and the National Institute of Standard and Technology (NIST) recommendations. CIS recommendations are based on the 2019 CIS Benchmarks. NIST recommendations are taken from the NIST Digital Identity Guidelines, updated in 2020.

This guide will help you build a password policy suitable for your organization. It will cover the following topics:

Microsoft Local Administrator Password Solution (LAPS).
Password age and expiration time.
Local admin password management.
Password length and complexity.

Microsoft Local Administrator Password Solution (LAPS):

LAPS is a free tool provided by Microsoft for Windows Server environments, that allows organizations to automatically set randomized, strong passwords to domain-attached workstations and Member Servers. The passwords are stored confidently in the domain account and can be accessed from the Active Directory by a sysadmin. The LAPS provides a solution for using an identical password on all domain computers by default.

To install LAPS you need to update the AD schema and the installation of Group Policy Client Side Extension (CSE). This CSE is not installed by default, and it is recommended by the CIS to 'Ensure LAPS AdmPwd GPO Extension / CSE is installed'. This is a key step in managing server types and Group Policy Objects (GPOs) effectively.

Password Age and Expiration Time:

There are two different approaches when setting password's age and expiration time:

CIS Password Age Recommendations:

In the CIS Benchmarks there are 2 rules that address this issue:

Do not allow password expiration time longer than required by policy - which means that according to the CIS you should set a period that after acceding it, the password should expire
Ensure ‘Password Settings: Password Age (Days)’ is set to ‘Enabled: 30 or fewer’ (for domain members, and Member Servers).

NIST Password Age Recommendations:

According to the NIST Identity Guidelines, frequent password changes can worsen security, increasing the potential impact of certain types of cyber attacks. NIST claims that since the main challenge in setting a good password is to remember it, and it is often that users must have many different passwords to remember, passwords change policy will result in users changing passwords in predictable patterns.

In this case, if an attacker knows the user's previous password, cracking the new one won't hold a challenge. Therefore, according to NIST, you should avoid requiring a periodic password change.

Local Admin Password Management:

Using the same password on all workstations and Member Servers on deployment is a common practice in many organizations. The main reason for that is the difficulty in managing local Administrator's passwords.

This practice is a major risk to the organizations since if an attacker compromises one system and gets access to its password, he can leverage it to gain access to all other machines using the same password. Therefore, Enabling Local Admin Password Management and installing LAPS will enforce random passwords on each machine and solve this issue.

Note! When enabling a local admin password, if you need to retrieve a local Administrator password and the AD is not available (for example, when recovering from an attack), you won't be able to. In this case, consider using a local password reset tool.

Minimum Password Length & Complexity Requirements:

Password length is critical for lowering the chance of attackers hacking it. Longer passwords take longer to crack, so when they configure the passwords, organizations should take care to ensure they are long enough. The CIS recommends requiring users to set aminimum password length of at least 14 characters long. CIS security configuration is:

Ensure ‘Minimum password length’ is set to ’14 or more character(s)’ (Automated)

The recommended state for this setting is: 14 or more character(s).

Password complexity is a different issue, and in this case, the CIS and NIST hold different approaches complexity requirements policy setting.

CIS password complexity recommendations:

According to the CIS Benchmarks, you should ensure that 'Password must meet complexity requirements' is set to Enabled. This policy will require the user to set his password according to the following rules:

Password should not contain the user's account name or parts of his full name (more than two consecutive characters).
Have at least six characters.
Contain uppercase characters, lowercase characters, digits, and non-alphabetic characters.

While it is reasonable to think that using complex passwords will improve security, NIST suggests a different approach for this issue.

How Hardening is reflected in the different NIST Standards

NIST password complexity recommendations:

Research shows that requiring password complexity may actually be a poor security practice. According to NIST, you can predict the patterns most users will use to solve the challenge of adding complexity for their passwords. For example, a common scenario to see is users capitalizing the first letter of their password or adding '1' or '!' at its end. Attackers know those common patterns, and they will use them when trying to decrypt stolen passwords in a brute force attack. In addition, adding complexity will increase user's tendency to reuse passwords, which can further expose them to credential stuffing attack, if one of their accounts have been breached.

For these reasons, password complexity can result in increasing the attack surface. NIST recommends concentrating on minimum password length to lower the attack surface, in addition to following key Windows password guidelines.

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.