Active Directory Password Security: Resilience Over Complexity
Modern attackers do not sit at a login screen guessing passwords. They extract hashes, replay tokens and exploit misconfiguration. Raising the complexity bar alone does not stop them.
Active Directory (AD) underpins most enterprise identity in the UK. Even as cloud directories and passwordless sign‑in gain adoption, an on‑premises domain still acts as the single source of truth for authentication and authorisation. Compromising AD remains the fastest route to take over the entire estate. Yet the most common corporate response to “improve password security” is still to mandate extra characters, symbols and frequent rotation. Current guidance from the National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST) points in a different direction: long, unique passphrases, avoidance of forced rotation and the use of multi‑factor authentication.
This article looks at why traditional complexity rules are ineffective against modern attacks, how adversaries actually obtain AD credentials and what controls materially reduce risk.
Why complexity rules don't work
The traditional model assumes attackers guess passwords at a login prompt, so adding symbols and frequent rotation makes guessing harder. That may have been true in 1998; today it is an unrealistic model. Most breaches involve stealing password hashes or tokens and using them directly, not brute forcing plaintext passwords.
Common techniques include:
- Password spraying. Adversaries try one or two common passwords (“Autumn2025!”, “CompanyName123”) against many accounts. Because most users choose the shortest string that satisfies the policy, increasing complexity rules does not help. MITRE notes that password spraying deliberately avoids lockout thresholds by using a small list of probable passwords across thousands of accounts.
- Kerberoasting. Any authenticated domain user can request Kerberos service tickets for service principal names (SPNs). Attackers extract the ticket encrypted with the service account's password hash and crack it offline. CrowdStrike highlights that service accounts often have long‑standing passwords and do not require elevated privileges to be targeted.
- AS‑REP roasting. Accounts with “Do not require Kerberos pre‑authentication” expose encrypted authentication data. Attackers extract these AS‑REP responses and crack them offline.
- Credential reuse. Credentials exposed in other breaches or obtained via phishing are replayed against AD. Users frequently reuse passwords across systems; NIST explicitly advises checking new passwords against breach corpuses such as Have I Been Pwned.
- Hash extraction on endpoints. Tools such as Mimikatz or LSASS process dumps let attackers obtain cached password hashes from a single compromised workstation, yielding higher‑privileged credentials.
- Pass‑the‑hash and pass‑the‑ticket. Once a hashed credential or Kerberos ticket is obtained, it can be used to authenticate without knowing the plaintext password.
Complexity rules provide little defence against any of these attacks. Worse, they encourage predictable patterns such as combining a season, year and special character. The NCSC advises against mandatory password changes because they burden users and offer negligible security benefit.
How attackers compromise AD credentials
Active Directory breaches usually unfold in well‑understood stages that rarely involve online password guessing:
Initial access. Attackers phish a single credential, exploit an exposed remote‑access service or compromise a VPN endpoint. The first account is usually low‑privileged.
Foothold and reconnaissance. Once inside a workstation, attackers silently enumerate the domain using tools such as BloodHound to map group memberships, access control lists and service accounts. BloodHound analyses AD relationships to identify privilege‑escalation paths. This reconnaissance is authenticated traffic and often goes undetected.
Lateral movement. Reused passwords, cached credentials on shared workstations and over‑privileged service accounts enable attackers to move between systems. A helpdesk account with administrative rights across user devices is a common pivot.
Privilege escalation. Techniques like Kerberoasting and AS‑REP roasting harvest hashes for service accounts.
Persistence and impact. With Domain Admin privileges, adversaries can create golden tickets, use DCSync to extract every password hash or deploy ransomware. None of these steps require guessing a password; they exploit misconfiguration and credential hygiene.
Practical controls that improve resilience
Making AD resilient requires more than a password policy. The following controls materially reduce the attack surface:
- Tier and isolate privileged accounts. Follow Microsoft's tiering model (Tier 0 for domain controllers, Tier 1 for servers, Tier 2 for workstations). Domain Admins should never log into internet‑facing systems or read email. Use Privileged Access Workstations (PAWs) for administration.
- Eliminate password reuse across devices. Each endpoint's local administrator password must be unique. Windows LAPS randomises and rotates these passwords automatically, preventing lateral movement via shared local credentials.
- Deploy phishing‑resistant MFA. Administrative accounts should use hardware‑backed authentication (FIDO2/WebAuthn). SMS and push MFA are inadequate for critical roles.
- Service account hygiene. Use long, randomly generated passwords and rotate them regularly. Where supported, adopt Group Managed Service Accounts (gMSAs) instead of static credentials. Audit which accounts have SPNs and whether they still need them.
- Check new passwords against breach data. Prevent users from selecting passwords already compromised by using services like Have I Been Pwned.
- Prioritise length over composition. NIST recommends passphrases of at least 14 characters; three or more random words are easier to remember and harder to crack.
- Identify kerberoastable accounts. Regularly scan for service accounts with SPNs and weak passwords. Rotate them to long passphrases or migrate to gMSAs.
- Detect techniques early. Monitor for suspicious LDAP enumeration, unusual Kerberos ticket requests and DCSync activity. Catching an attacker during reconnaissance is far easier than after ransomware deployment.
A defensible identity programme combines policy (tiering and password length), technology (MFA, LAPS, monitoring) and regular review. Complexity rules alone provide the appearance of security without addressing the actual attack paths.
Frequently asked questions
Does the NCSC recommend forced password changes?
No. The NCSC's password guidance states that mandatory password expiry encourages predictable patterns and offers little protection.
Should we deploy LAPS?
Yes. Windows LAPS ensures that each device's local administrator password is unique, complex and regularly rotated, closing a common lateral‑movement path.
Is MFA enough to protect Active Directory?
Multi‑factor authentication is necessary but not sufficient. Phishing‑resistant MFA dramatically raises the bar for attackers, but must be combined with tiered admin accounts, unique local passwords, service account hygiene and continuous monitoring.
What is the right minimum password length for AD?
NCSC and NIST both recommend passphrases of at least 14 characters for user accounts, and longer (often 25+ characters) or gMSAs for service accounts. Length provides more resistance to cracking than symbol composition.