H3-2021-0028¶

Weak Password Strength Requirements

Description¶

A Windows domain user password less than 12 characters long was found. Passwords should be at least 12 characters long.

Impact¶

The shorter a password is, the easier it is for an attacker to recover it offline from a password hash. Shorter passwords are also easier for attackers to brute force in an online attack.

References¶

• NIST Special Publication 800-63B: Digital Identity Guidelines
• Microsoft - Password Policy Recommendations
• MITRE ATT&CK Technique: T1201: Password Policy Discovery
• MITRE ATT&CK Technique: T1110.001: Brute Force: Password Guessing