0

My question is that simple:

Can I configure an active directory in a way that when a user wants/needs to change his password, his current one isn't forbidden (if it's in compliance with the current password policy)?

Here is some background:

We recently implemented a blacklist approach against known publicly available passwords (see Troy Hunt's service Pwned Passwords). Now we have some users whose passwords don't expire and there is a chance that they still use a password which is on the blacklist but will never be checked when the user doesn't change his password, since this is the only opportunity to check his password.

Now my idea is to force the user to "change" his password but allow his current one if it's not on the blacklist.

I know that there exists Enforce password history which can be set to 0 but it seems to me that the current one is still not accepted.

HorstKevin
  • 121
  • 5

2 Answers2

1

force the user to "change" his password but allow his current one if it's not on the blacklist. You either have a requirement to change the password (good) or you don't (bad). Not changing a password because it isn't on some list is a security risk because attackers can compromise and use accounts without the password, by stealing and using the password hash. If the password is not regularly changed, the password hash is not changed, which is poor security hygiene.

there is a chance that they still use a password which is on the blacklist but will never be checked when the user doesn't change his password, since this is the only opportunity to check his password.

Actually it isn't the only opportunity. There are free tools to scan for weak passwords:

https://www.dsinternals.com/en/auditing-active-directory-password-quality/
https://thycotic.com/solutions/free-it-tools/weak-password-finder/

Greg Askew
  • 34,339
  • 3
  • 52
  • 81
  • 1
    Changing passwords often is at least debatable, see e.g. https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/ Where do the tools you mentioned get the plaintext passwords from? – HorstKevin Jun 04 '18 at 14:37
  • They don't get plaintext. They hash passwords from known compromised lists and compare them to the hashes in AD. – Ryan Bolger Jun 04 '18 at 15:37
  • @HorstKevin: It may be debatable for applications and non-Windows platforms. It isn't debatable for Windows. Now that theft of credential hashes has become de rigueur, not changing passwords on Windows or Active Directory accounts a regular basis would be negligent. It's also required for many audits, such as PCI or SOC. – Greg Askew Jun 04 '18 at 15:38
  • 1
    @RyanBolger: When the box is checked for 'Store password using reversable encryption' is checked, the plain text password is retrievable. See: https://msdn.microsoft.com/en-us/library/ms813423.aspx – Greg Askew Jun 04 '18 at 15:42
1

We currently tried the same approach with the "Have i been pwned" AD integration. Regarding your mentioned problem we found one specific way, where a user can use the same password again (if it hasn't been pwned yet).

Configured GPO: - enforce password history: 0 - password must meet complexity requirements: Enabled - "user must change password at next login": Activate this for the user(s)

This forced our test user to set his password again and he was able to set the same password if it wasn't pwned.

If a user decides to reset his password manualy (Ctrl+Alt+Del --> change password) he will be prevented from setting the same password again.

We also didn't have the time to check how the system behaves, if the user password expires "naturaly". I can't tell, if the user is able to set the same password again or if he has to use another one.

This should enable your users to, at least, work with a maximum of two "secure" passwords.

Tested on: - Windows Server 2016 (Domain Controller + Client) - no other GPO's where active while testing this

mature
  • 161
  • 2
  • 11
Alcesh
  • 11
  • 1