We recently received a support email about how Password Center handles a 72 character Active Directory password. I read it in disbelief. Seventy-two characters? That’s the alphabet 2, almost 3, times over. How does anyone remember a 72 character password?
Turns out, pretty darned easily. Because the best Active Directory password isn’t a word at all…it’s a phrase. Phrases are pretty darned easy to remember. Try this one: Itwasthebestoftimesitwastheworstoftimes! 40 characters and every single one of us remembers it from 10th grade English class. Surely a lot better than $uperm4n33. And easier to type.
Because of all that we do with Active Directory, I’ve been thinking a lot about security. How to ensure that only the correct users have access to the correct resources. How to ensure that users are deprovisioned in a timely manner. How to track who has done what to Active Directory. How to remove Active Directory groups that have no business in the business. How to let users reset their passwords with a reasonable idea that they are indeed themselves. This is all GroupID stuff; security things that an IT department can solve sytematically.
But the only thing that IT can do to make users pick secure passwords is to have a stringent complex password policy. Special characters, capital letters, numbers, length. All great security designed to make users forget their passwords. Complex passwords are the reason that AD self service password reset exists.
And even these complex passwords are pretty darned hackable. Attention users everywhere: everyone (including hackers) knows that you are using an @ symbol to mean the letter a. Nothing new there. These guys can crack 8 character passwords all day long, complexity or not.
And the answer is so simple…phrases. A 72 character password that doesn’t show up in a dictionary. Brilliant and easy to remember. Just don’t use the first sentence of any top 100 book or list your favorite quotations on Facebook and you’re golden. Heck, throw an @ symbol in there for fun.