Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Length-based Password Aging

See original GitHub issue

Hey, it’s me again. As I’m very fascinated of this project, I got an idea for the length-based complexity rules. I thought about an option, where you could set different password ages. (count of days, after which the password has to be changed)

That could be a great opportunity to allow people to still use smaller passwords, but also restricting them by letting their passwords expire faster.

To make this real, maybe the attribute “PwdLastSet” could be used, for example to be set a month before the actual change date. In my understanding, the password would then expire a month earlier.

$ReplaceHashTable = New-Object hashtable
$date = (Get-Date "16.05.2020").ToFileTime()  #Windows NT Time Format
$ReplaceHashTable.Add("PwdLastSet", $date)

Set-ADUser -Identity Dave -Replace $ReplaceHashTable

I tried this powershell commands, but it seems, that this attribute can be changed only to 0 or -1 from an admin. 0 => Password expires now -1 => Password expires never

A system user may be able to change the attribute. Maybe the service of LPP is also able to do this.

Issue Analytics

State:
Created 3 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

ryannewingtoncommented, Aug 4, 2020

@ToxicDave it will stay open as a feature request. I’m working on a new product at the moment, and hope to return to v2 of LPP soon. I’ll look at options then.

0reactions

Techie4Life83commented, Sep 16, 2020

Why not just use Fine Grain Password Policies? Isn’t this kind of what you are doing already with having different requirements for different lengths of passwords? https://www.lepide.com/blog/fine-grained-password-policy-best-practices/#:~:text=AD supports one set of,a separate domain for them.

Create the criteria in Lithnet, have Lithnet create the appropriate FGPPs and corresponding AD groups. Then when a user submits their password you would remove them from all of the FGPP shadow groups and add them to the appropriate one for the password they put in. Submit their password to AD after that and BOOM variable length password expiration.

Top Results From Across the Web

How to Use Password Length to Set Best ...

You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire...

Configuring Password Aging for Company Users

If password aging is specified at more than one level, such as the user level and the company level, the shortest time period...

Specops encourages longer passwords with length-based ...

The release introduces length-based password aging which correlates the password expiration period with the length of the password – the ...

Why length-based password aging is your new best friend

Sponsored by Specops Software. Specops Password Policy not only boosts security, it conditions users to adopt better password habits.

Password Policy Best Practices for Strong Security in AD

Password age. Previous NIST guidelines recommended forcing users to change passwords every 90 days (180 days for passphrases). However, changing passwords too ...