Active Directory Password Security: Resilience Over Complexity
Complexity rules are not what makes AD safe. These are.
For all the change in identity technology over the last decade — cloud directories, federated identity, passwordless authentication, conditional access — Active Directory remains the centre of gravity for most UK enterprises. Compromise of AD remains the route to enterprise-wide compromise, and the patterns by which it happens have barely changed.
The conventional response to “improve AD password security” is to raise the complexity bar: more characters, more symbols, more frequent rotation. This addresses almost none of the techniques attackers actually use. This article explains why complexity alone fails, how AD credential compromise actually unfolds in practice, and the controls that materially reduce risk.
Why complexity alone fails
The intuition behind complex passwords is that attackers are guessing — that they sit at a login screen, trying combinations, and the harder the password, the longer that takes. This was a reasonable model in 1998. It is no longer the dominant attack pattern.
Modern AD credential compromise rarely involves guessing passwords. It involves obtaining hashes or tokens and abusing them. Some of the most reliable techniques include:
- Password spraying — one or two common passwords (“Autumn2025!”, “CompanyName123”) tried against thousands of accounts. Length and complexity rules do not help here, because users predictably select the shortest, simplest password that satisfies the policy.
- Kerberoasting — extracting service ticket hashes for service accounts with SPNs and cracking them offline. Service accounts very commonly have passwords that have not changed in years.
- AS-REP roasting — extracting authentication data for accounts where pre-authentication is disabled, and cracking offline.
- Credential reuse — extracted credentials from a previous breach or a phishing run, replayed against AD because users use the same password everywhere.
- Hash extraction from compromised endpoints — mimikatz, LSASS dumps, or DPAPI extraction on a single workstation often yield cached credentials for higher-privileged accounts.
- Pass-the-hash and pass-the-ticket — once a hash or Kerberos ticket is in hand, the plaintext password is irrelevant.
In none of these scenarios does increasing the complexity rule from 8 characters to 14 meaningfully change the outcome. Worse, complex rotation policies encourage exactly the patterns attackers spray for: a season, a year and an exclamation mark.
The NCSC has been clear on this since 2016: frequent forced password change does more harm than good. Modern guidance — from NCSC, NIST SP 800-63B and Microsoft — converges on length, uniqueness, breach-checking and MFA, in preference to complexity rules and rotation.
How attackers actually exploit AD credentials
A typical Active Directory compromise unfolds in stages, and very few of them involve guessing passwords at a login screen.
Initial access. Phishing for a single user credential, exploitation of an exposed edge service, or compromise of a VPN endpoint. The first credential obtained is usually low-privileged.
Foothold and local privilege escalation. From a single workstation, the attacker uses tooling such as BloodHound to enumerate the domain — group memberships, ACLs, service account configurations, trust relationships, kerberoastable accounts. This is silent and authenticated, and most environments do not detect it.
Lateral movement. Reused passwords, cached credentials on shared workstations, and over-permissioned service accounts allow movement to higher-value systems. A single helpdesk account with administrative rights across all user workstations is a routine finding.
Privilege escalation in the domain. Kerberoastable service accounts, accounts with unconstrained delegation, ACL misconfigurations on privileged groups, and shadow admin paths. BloodHound maps these for the attacker; defenders rarely have an equivalent view of their own environment.
Persistence and impact. Once Domain Admin or equivalent is reached, the attacker has options: golden ticket creation, DCSync to extract every hash in the domain, or simply deploying ransomware across the estate. This stage is usually the fastest.
The fastest of these chains we have observed in real engagements move from initial phish to Domain Admin in under four hours, with no exploit code involved at any stage. Every step relied on misconfiguration, over-privileged accounts and credential reuse — not on a failure of password complexity.
Practical controls that improve resilience
The controls that actually move the needle are well-established. They are also less popular than complexity rules because they require operational discipline rather than a single policy change.
- Tier privileged accounts properly. Domain Admins should not browse the web, read email or log into workstations. Implement Microsoft’s tiering model (Tier 0 / Tier 1 / Tier 2) or equivalent. Privileged Access Workstations (PAWs) for administrative use.
- Eliminate password reuse across tiers. Local administrator passwords should be unique per machine — Windows LAPS is free, supported and remarkably underdeployed.
- Phishing-resistant MFA for administrators. WebAuthn / FIDO2 hardware keys. SMS and push-based MFA are not sufficient at the administrative tier.
- Service account hygiene. Long, randomly generated passwords (or, better, Group Managed Service Accounts where supported). Audit which accounts have SPNs and whether they need them.
- Breach-check passwords on set. Block users from choosing passwords known to be compromised. Microsoft Entra Password Protection, or open-source equivalents using Have I Been Pwned datasets.
- Length over complexity. A 14-character passphrase a user can remember is materially stronger than an 8-character symbol soup that gets written on a Post-it.
- Audit Kerberoastable accounts. Identify accounts with SPNs and weak passwords. Either rotate to strong passwords, migrate to gMSA, or remove the SPN.
- Detect the techniques, not just the outcomes. AD-aware detection (LDAP enumeration, ticket extraction patterns, DCSync) catches attacks earlier than waiting for the ransomware payload.
A defensible programme combines policy (what is enforced), technology (what is detected) and review (what is regularly audited). Complexity rules in isolation provide the appearance of security and very little of the substance.
Frequently asked questions
Does the NCSC recommend forced password changes?
No. Since 2016 the NCSC has advised against routine password expiry, on the basis that it encourages predictable patterns and provides little defensive benefit.
Should we use LAPS?
Yes. Windows LAPS randomises and rotates local administrator passwords per machine, eliminating one of the most reliable lateral movement paths in AD.
Is MFA enough to protect Active Directory?
MFA is necessary but not sufficient. Phishing-resistant MFA at the administrative tier is the strongest single control, but it must be combined with tiering, service account hygiene and detection.
What is the right minimum password length for AD?
Modern guidance points to 14 characters or longer for users, and 25+ characters (or gMSA) for service accounts. Length matters far more than complexity composition rules.