Comment on page

Password Policy

The password policy helps ensure that a user's password is strong and is changed periodically so that it becomes impossible for an attacker to crack the password.
By default, the password policy is configured like this:
Policy
Default value
Enforce password history
24 passwords
Maximum password age
42 days
Minimum password age
1 day
Minimum password length
7
Password must meet complexity requirements
Enabled
Store passwords using reversible encryption
Disabled
Account lockout duration
Not set
Account lockout threshold
0
Reset account lockout counter after
Not set
From an attacker's point of view it is useful to list the password policy in force on the domain and then be able to do either:
Bruteforce
Guessing
Spraying
Cracking
UNIX
Windows cmd
Windows Powershell
Modules AD
PowerView
cme smb 192.168.1.0/24 -u <USERNAME> -p '<PASSWORD>' --pass-pol
net accounts
get-addomain | get-adobject -propertcies * | select *pwd*er
This command gets the default password policy for the specified domain.
Get-ADDefaultDomainPasswordPolicy -Identity domain.local
Get-DomainPolicy

Network Shares

Enumeration

Last modified 3mo ago

Policy	Default value
Enforce password history	24 passwords
Maximum password age	42 days
Minimum password age	1 day
Minimum password length	7
Password must meet complexity requirements	Enabled
Store passwords using reversible encryption	Disabled
Account lockout duration	Not set
Account lockout threshold	0
Reset account lockout counter after	Not set