We have all been living with the Microsoft password policy solution for many years now. It has sufficed, for the most part, untill now, due to password security requirements. There are distinct drawbacks with the Microsoft solution that all corporations need to consider to protect themselves against hackers. Even with Microsoft Windows Server 2012 R2, the password policy is weak and omits some key functions that all password policies should include.
First, all password policies should integrate into the directory service structure, making it easy to deploy the settings. Microsoft password policies, even fine-grained password policies (FGPP), fail to work with the organizational unit (OU) structure that organizations have built and rely on every day. The password policy driven by Group Policy has a “one size fits all” concept, forcing every user in the entire domain to adhere to the same requirements. FGPP allow for multiple password policies in the same domain, but they are not deployed using Group Policy and can only effect users based on group membership.
Second, studies have shown that humans follow distinct behavioral patterns when choosing passwords. For example, most user passwords start with an upper case letter, do not include special characters ($, %, &, etc.), and often increment by single digits for new passwords (Password1, Password2, Password3, etc.). With these concepts in mind, an attacker can eliminate special characters and use the common patterns when trying to crack the password. A good password policy needs to have controls to prevent users from creating these types of passwords.
Third, to easily remember their passwords, users will often use words that can be found in a dictionary or an attack dictionary. These attack dictionaries often have common dictionary words with character replacements (P@$$w0rd, Am3r!c@, etc.). A good password policy should allow the importation of multiple dictionaries, which are used to check every new password and deny any password that contains a word found in one of the dictionaries.
By overcoming these limitations, an organization can increase the security level of its passwords. Without such features, the organization is at the liberty of the end user, who might create a weak password that is easy to hack.