{"id":46732,"date":"2024-09-16T08:00:55","date_gmt":"2024-09-16T07:00:55","guid":{"rendered":"https:\/\/www.firstware.com\/?p=46732"},"modified":"2024-09-16T13:59:51","modified_gmt":"2024-09-16T12:59:51","slug":"check-password-rules","status":"publish","type":"post","link":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/","title":{"rendered":"Check password rules"},"content":{"rendered":"<p>How can we check password rules? Do they meet the complexity requirements? This article explains various methods for checking compliance with password policies in an Active Directory domain.<\/p>\n<p>A <strong>practical example<\/strong> is the <strong>implementation of a self-service password change portal to ensure compliance<\/strong> and provide users with an easy way to manage their passwords.<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Index<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Why-do-Password-rules-exist\" >Why do Password rules exist?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Help-for-users\" >Help for users<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#What-password-rules-does-the-Active-Directory-recognize\" >What password rules does the Active Directory recognize?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Password-policy-settings-in-the-Active-Directory\" >Password policy settings in the Active Directory<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Importance-of-complexity-requirements\" >Importance of complexity requirements<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Methods-for-checking-the-password-rules\" >Methods for checking the password rules<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Check-password-rules-with-PowerShell\" >Check password rules with PowerShell<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Checking-the-password-length\" >Checking the password length<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Checking-the-minimum-number-of-capital-letters\" >Checking the minimum number of capital letters<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Checking-the-minimum-number-of-lowercase-letters\" >Checking the minimum number of lowercase letters<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Checking-the-minimum-number-of-digits\" >Checking the minimum number of digits<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Checking-the-minimum-number-of-special-characters\" >Checking the minimum number of special characters<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Check-for-forbidden-words\" >Check for forbidden words<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Check-for-parts-from-the-user-name\" >Check for parts from the user name<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Checking-the-password-history\" >Checking the password history<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Password-Change-Portal\" >Password-Change Portal<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#Conclusion\" >Conclusion<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#More-about-FirstWare-IDM-Portal\" >More about FirstWare IDM-Portal<\/a><\/li><\/ul><\/nav><\/div>\n\n<h2><span class=\"ez-toc-section\" id=\"Why-do-Password-rules-exist\"><\/span>Why do Password rules exist?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Simplicity and security<\/strong> are two keywords that very few people would probably mention in the same sentence. The need for secure methods to verify authorized access to IT resources is certainly undeniable. Essentially every resource today is connected to IT or secured by IT. It is no longer just access to files in the virtual world that is protected, but also relates to the real world:<\/p>\n<ul>\n<li>printers,<\/li>\n<li>rooms,<\/li>\n<li>vehicles,<\/li>\n<li>production machines, etc.<\/li>\n<\/ul>\n<p>It is in the nature of things that security methods are usually cumbersome, as this is the only way they can successfully ward off unauthorized access. <strong>However, they should only be as complicated as necessary, otherwise the user will find ways to make it easier for themselves, and thus for the attacker, which would counteract the security efforts.<\/strong><\/p>\n<p>Technological progress also helps with simplification. Many methods exist today to make user authentication uncomplicated. The best known are biometric methods such as fingerprint and facial recognition.<\/p>\n<p>As advanced as these methods are, in most organizations they collide with reality. Additional hardware and compatibility with corresponding protocols are required for this. However, a large number of software programs are not yet able to cover this. Consequently, <strong>the password remains the most widely used authentication method<\/strong>.\u00a0<\/p>\n<p>To ensure that the password is still as secure as possible, <strong>various complexity rules must be observed <\/strong>to make it as difficult as possible for an attacker to guess the password. The framework conditions for this are:<\/p>\n<ul>\n<li>a <strong>minimum password length<\/strong>,<\/li>\n<li><strong>uniqueness<\/strong> and<\/li>\n<li>the<strong> use of many different character types<\/strong>.<\/li>\n<\/ul>\n<p><strong>Passwords should also be changed regularly.<\/strong> As this usually bothers users and they therefore tend to count up a number at the end of the password, the password history is also checked.<\/p>\n<p><a href=\"#PasswordRulesPowerShell\" rel=\"noopener\"><button id=\"\" class=\"ButtonBeratung2 aligncenter\">Check password rules now<\/button><\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Help-for-users\"><\/span>Help for users<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>As we want to make it as easy as possible for users, we also want to help them with the tedious but necessary task of changing their passwords regularly.<\/p>\n<p>Unfortunately, Microsoft is not very helpful here. If we have not designed our new password according to the complexity rules, Windows only gives us a very succinct answer:<\/p>\n<div id=\"attachment_46716\" style=\"width: 505px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" aria-describedby=\"caption-attachment-46716\" class=\"wp-image-46716 size-full\" title=\"Unable to update a password in Microsoft\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png\" alt=\"Unable to update a password in Microsoft\" width=\"495\" height=\"140\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png 495w, https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1-300x85.png 300w\" sizes=\"(max-width: 495px) 100vw, 495px\" \/><p id=\"caption-attachment-46716\" class=\"wp-caption-text\">CHANGE A PASSWORD \u2013 UNABLE TO UPDATE THE PASSWORD. THE VALUE PROVIDED FOR THE NEW PASSWORD DOES NOT MEET THE LENGTH, COMPLEXITY, OR HISTORY REQUIREMENTS OF THE DOMAIN.<\/p><\/div>\n<p>This message is not meaningful for the user as it does not contain any information about which entries are still missing in the password. We would like to create a <strong>self-service password change portal to provide assistance<\/strong>. Before the password is sent to the Active Directory domain, the portal should tell the user what is still missing so that the password complies with the rules.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"What-password-rules-does-the-Active-Directory-recognize\"><\/span>What password rules does the Active Directory recognize?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before we deal with the portal, we must first determine which rules or policies exist and how they can be configured.<\/p>\n<p>The default password policy is applied to all user accounts in the domain and is defined in the default domain policy. We can configure the Group Policies settings in the Group Management Editor. To do this, we open the Administrative Tools.<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46718 size-full\" title=\"Group Policy Management\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Group-Policy-Management-2.png\" alt=\"Group Policy Management\" width=\"601\" height=\"252\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Group-Policy-Management-2.png 601w, https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Group-Policy-Management-2-300x126.png 300w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><\/p>\n<p>There we go to the Default Domain Policy and open the edit view.<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46720 size-full\" title=\"Default Domain Policy\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Default-Domain-Policy-3.png\" alt=\"Default Domain Policy\" width=\"601\" height=\"274\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Default-Domain-Policy-3.png 601w, https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Default-Domain-Policy-3-300x137.png 300w\" sizes=\"(max-width: 601px) 100vw, 601px\" \/><\/p>\n<p>In the edit view of the default domain policy, the password settings can be found under \u201cComputer Configuration\\Policies\\Windows Settings\\Security Settings\\Account Policies\\Password Policy\u201d.<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46722 size-full\" title=\"Password Policy\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Password-Policy-4.png\" alt=\"Password Policy\" width=\"277\" height=\"224\" \/><\/p>\n<p>You can also use the PowerShell command <strong>Get-ADDefaultDomainPasswordPolicy<\/strong> to quickly retrieve the current settings.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter wp-image-46724 size-full\" title=\"PowerShell commando Get-ADDefaultDomainPasswordPolicy\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Get-ADDefaultDomainPasswordPolicy.png\" alt=\"PowerShell commando Get-ADDefauktDomainPasswordPolicy\" width=\"494\" height=\"237\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Get-ADDefaultDomainPasswordPolicy.png 494w, https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Get-ADDefaultDomainPasswordPolicy-300x144.png 300w\" sizes=\"(max-width: 494px) 100vw, 494px\" \/><\/p>\n<p>For the sake of completeness, it should be mentioned that specific password policies can also be defined for a certain group of users, e.g. admins. The <strong>Fine Grained Password Policy<\/strong> is used for this. However, this is a topic for a separate article.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Password-policy-settings-in-the-Active-Directory\"><\/span>Password policy settings in the Active Directory<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now that we have found out where the policies can be configured, let&#8217;s take a detailed look at the settings we can make.<\/p>\n<p><img decoding=\"async\" class=\"imgshadow aligncenter wp-image-46726 size-full\" title=\"Password policy settings in Active Directory\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Policy-settings-6.png\" alt=\"Password policy settings in Active Directory\" width=\"427\" height=\"168\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Policy-settings-6.png 427w, https:\/\/www.firstware.com\/wp-content\/uploads\/2024\/09\/Policy-settings-6-300x118.png 300w\" sizes=\"(max-width: 427px) 100vw, 427px\" \/><\/p>\n<table style=\"border-collapse: collapse; width: 100%;\">\n<tbody>\n<tr aria-rowindex=\"1\">\n<td style=\"width: 33.2329%;\" data-celllook=\"0\">\n<p><strong>Rule\u00a0<\/strong><\/p>\n<\/td>\n<td style=\"width: 66.6667%;\" data-celllook=\"0\">\n<p><strong>Meaning<\/strong><\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"2\">\n<td style=\"width: 33.2329%;\" data-celllook=\"0\">\n<p><span data-contrast=\"auto\">Enforce password history<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 66.6667%;\" data-celllook=\"0\">\n<p>How many password changes should a password be saved so that it cannot be reused. If the value is 24, a password can only be reused after 24 changes.<\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"3\">\n<td style=\"width: 33.2329%;\" data-celllook=\"0\">\n<p><span data-contrast=\"auto\">Maximum password age<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 66.6667%;\" data-celllook=\"0\">\n<p>What is the maximum number of days a password can remain unchanged?<\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"4\">\n<td style=\"width: 33.2329%;\" data-celllook=\"0\">\n<p><span data-contrast=\"auto\">Minimum password age<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 66.6667%;\" data-celllook=\"0\">\n<p>How many days does a password have to exist before it can be changed again?<\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"5\">\n<td style=\"width: 33.2329%;\" data-celllook=\"0\">\n<p><span data-contrast=\"auto\">Minimum password length<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 66.6667%;\" data-celllook=\"0\">\n<p>What is the minimum length of a new password?<\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"6\">\n<td style=\"width: 33.2329%;\" data-celllook=\"0\">\n<p><span data-contrast=\"auto\">Password must meet complexity requirements<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 66.6667%;\" data-celllook=\"0\">\n<p>The password must meet the complexity requirements.<\/p>\n<\/td>\n<\/tr>\n<tr aria-rowindex=\"7\">\n<td style=\"width: 33.2329%;\" data-celllook=\"0\">\n<p><span data-contrast=\"auto\">Store password using reversible encryption<\/span><span data-ccp-props=\"{&quot;201341983&quot;:0,&quot;335559740&quot;:279}\">\u00a0<\/span><\/p>\n<\/td>\n<td style=\"width: 66.6667%;\" data-celllook=\"0\">\n<p>This setting should not be activated in most cases, as it is effectively the same as saving the password in plain text.<\/p>\n<p>We will therefore not go into this further in this article.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span class=\"ez-toc-section\" id=\"Importance-of-complexity-requirements\"><\/span>Importance of complexity requirements<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>I would like to take a closer look at the complexity rules for a password, as they are essential for the quality of a password. The complexity rules are intended to ensure that a password is as random and strongly deviating from a normal text as possible. This should make it more difficult for an attacker to guess the password or find it out using dictionary attacks.<\/p>\n<p>The following rules are checked via the Group Policy in the Active Directory:<\/p>\n<ul>\n<li>The user account name (samAccountName) must not be included<\/li>\n<li>No parts of the user&#8217;s full name (cn, name) may<span style=\"color: #ff0000;\"> be included. This is the case if more than 2 following letters of the name are included.<\/span><br \/>\n<span style=\"color: #ff0000;\">E.g. Frank Anger may not have a password &#8216;P@fra<\/span>Kle123!<\/li>\n<li>The password must be at least 6 characters long.<\/li>\n<li>The password must contain at least 3 of the following types of characters:\n<ul>\n<li>Capital letters A-Z<\/li>\n<li>Lower case letters a-z<\/li>\n<li>Digits 0-9<\/li>\n<li>Special characters: &#8216;-!&#8221;#$%&amp;()*,.\/:;?@[]^_`{|}~+&lt;=&gt;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The rules are checked each time the password is changed.<\/p>\n<p><a href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-10\/security\/threat-protection\/security-policy-settings\/password-must-meet-complexity-requirements\">https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/it-pro\/windows-10\/security\/threat-protection\/security-policy-settings\/password-must-meet-complexity-requirements<\/a><\/p>\n<p><a href=\"https:\/\/firstware.com\/en\/contact\/\" target=\"_blank\" rel=\"noopener\"><button class=\"ButtonBeratung2 aligncenter\">Contact our team<\/button><\/a><\/p>\n<h2 id=\"PasswordRulesPowerShell\"><span class=\"ez-toc-section\" id=\"Methods-for-checking-the-password-rules\"><\/span>Methods for checking the password rules<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Once we have established what good password rules are, we can move on to the methods for checking compliance with these rules.<\/p>\n<p>As mentioned at the beginning, Windows is not much help here as it does not offer any corresponding APIs. The only useful method is the <strong>NetValidatePasswordPolicy function<\/strong> (<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/lmaccess\/nf-lmaccess-netvalidatepasswordpolicy\">https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/lmaccess\/nf-lmaccess-netvalidatepasswordpolicy<\/a>).<\/p>\n<p>This method is mainly used for applications to check whether their own managed passwords comply with the Active Directory Password Policy. For example, SQL Server can use this function for SQL Server authentication. An implementation example is given in the following link.<\/p>\n<p><a href=\"http:\/\/www.pinvoke.net\/default.aspx\/advapi32\/NetValidatePasswordPolicy.html\">pinvoke.net: NetValidatePasswordPolicy (advapi32)<\/a><\/p>\n<p>As you can see in the link above, this method is fairly complex to implement with programming knowledge. In the end, however, it only provides us with the information as to whether the password complies with the complexity rules or not. There is no meaningful feedback.<\/p>\n<p>Therefore, we only have the option of implementing the password check ourselves and checking compliance with each rule separately. In this article, I use PowerShell to demonstrate some implementation examples.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Check-password-rules-with-PowerShell\"><\/span>Check password rules with PowerShell<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In PowerShell, we can check the input for various rules and at the same time introduce our own quality criteria.<\/p>\n<p>A good option is to use regular expressions with the Matches method. This allows us to check for any text content. In the following, we will see what a check method could look like for each complexity criterion.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"Checking-the-password-length\"><\/span>Checking the password length<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"lang:default decode:true \">$length = $password.length\r\nif( $length -lt 6 ) {\r\nWrite-Host \u201cPassword need at least 6 characters.\u201d\r\n}\r\n\r\nif( $length -gt 20 ) {\r\n\r\nWrite-Host \u201cThe password must not contain more than 20 characters.\u201c\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Checking-the-minimum-number-of-capital-letters\"><\/span>Checking the minimum number of capital letters<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"lang:default decode:true\">$uppercaseCount = [regex]::Matches($password, \u201c[A-Z]\").Count\r\n\r\nif( $uppercaseCount \u2013lt 3 ) {\r\n\r\nWrite-Host \u201cPassword need at least 3 uppercase characters.\u201d\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Checking-the-minimum-number-of-lowercase-letters\"><\/span>Checking the minimum number of lowercase letters<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"lang:default decode:true\">$lowercaseCount = [regex]::Matches($password, \u201c[a-z]\").Count\r\n\r\nif( $lowercaseCount \u2013lt 3 ) {\r\n\r\nWrite-Host \u201cPassword need at least 3 lowercase characters.\u201d\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Checking-the-minimum-number-of-digits\"><\/span>Checking the minimum number of digits<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"lang:default decode:true\">$digitCount = [regex]::Matches($password, \u201c\\d\").Count\r\n\r\nif( $digitCount \u2013lt 3 ) {\r\n\r\nWrite-Host \u201cPassword need at least 3 digits.\u201d\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Checking-the-minimum-number-of-special-characters\"><\/span>Checking the minimum number of special characters<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"lang:default decode:true\">$specialCharCount =\r\n[regex]::Matches($password, \u201c[-!`\"#$%&amp;()*,.\/:;?@[\\]^_`{|}~+&lt;=&gt;]\").Count\r\n\r\nif( $ specialCharCount \u2013lt 3 ) {\r\n\r\nWrite-Host \u201cPassword need at least 3 special characters.\u201d\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Check-for-forbidden-words\"><\/span>Check for forbidden words<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"lang:default decode:true\">$bannedWords = @($samAccountName, $displayName, $sn, $givenName)\r\n\r\n$bannedWordsSplit = @()\r\n\r\n$tab = [char]9\r\n\r\nforeach ($word in $bannedWords)\r\n\r\n{\r\n\r\n$wordSplit = $word.Split(@(' ', ',', '.', '_', ';', $tab))\r\n\r\n$bannedWordsSplit += $wordSplit;\r\n\r\n}\r\n\r\n\r\n\r\n\r\nforeach ($word in $bannedWordsSplit)\r\n\r\n{\r\n\r\n$passwordTest = $password.ToLowerInvariant()\r\n\r\n$wordTest = $word.Trim().ToLowerInvariant()\r\n\r\nif($passwordTest.Contains($wordTest))\r\n\r\n{\r\n\r\nWrite-Host \u201cThe password must not contain the word '$word'.\u201c\r\n\r\n}\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Check-for-parts-from-the-user-name\"><\/span>Check for parts from the user name<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<pre class=\"lang:default decode:true\">function Contains-Parts {\r\n\r\nparam (\r\n\r\n[string]$password,\r\n\r\n[string]$bannedWord\r\n\r\n)\r\n\r\n\r\n$maxLength = 2\r\n\r\n\r\n\r\n$testPassword = $password.ToLowerInvariant()\r\n\r\n$testBannedWord = $bannedWord.ToLowerInvariant()\r\n\r\n\r\nfor ($i = 0; $i -le ($testBannedWord.length - $maxLength); $i++) {\r\n$bannedWortPart = $testBannedWord.Substring($i, $maxLength)\r\nif ($testPassword.Contains($bannedWortPart)) {\r\nreturn $true\r\n}\r\n\r\n}\r\nreturn $false\r\n}\r\n\r\n\r\n\r\n$bannedWords = @($cn, $displayName, $samAccountName)\r\nforeach ($word in $bannedWords)\r\n\r\n{\r\nif(Contains-Parts -password $password -bannedWord $word)\r\n{\r\n\r\nWrite-Host \u201cThe password must not contain parts of the word '$word'.\u201c\r\n}\r\n\r\n}<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Checking-the-password-history\"><\/span>Checking the password history<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Unfortunately, we cannot easily check the password history using a separate function. The password history of a user cannot be checked via an API.<\/p>\n<p>However, we can use the PowerShell command <strong>Set-ADAccountPassword<\/strong> to ensure the history after successfully checking the password quality.<\/p>\n<p>It is important that the -Reset switch is not used for this, as this bypasses the password history check.<\/p>\n<p><strong>Set-ADAccountPassword -Identity $user -OldPassword $oldPassword -NewPassword $newPassword<\/strong><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Password-Change-Portal\"><\/span>Password-Change Portal<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>With the help of the PowerShell functions, we now have all the tools we need to set up a password change portal for users.<\/p>\n<p>For our customer, we were able to integrate this very easily into the self-service side of the IDM-Portal. We execute the PowerShell functions via our IDM-Portal PowerShellProvider service, <strong>which makes it easy to integrate PowerShell commands into the IDM-Portal<\/strong>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In this article, we have learned how important a high-quality password is and what its characteristics are. We have also developed methods to give our users meaningful feedback on their new passwords. With this help, we can enable users to implement the requirements for a secure password easily and effectively.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"More-about-FirstWare-IDM-Portal\"><\/span>More about FirstWare IDM-Portal<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><img decoding=\"async\" class=\"alignleft wp-image-36704\" title=\"IDM-Portal Hybrid IAM L\u00f6sung\" src=\"https:\/\/firstware.com\/wp-content\/uploads\/2021\/08\/IDM-Portal-Hybrid-IAM-Loesung-1.png\" alt=\"IDM-Portal Hybrid IAM L\u00f6sung\" width=\"238\" height=\"199\" srcset=\"https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/08\/IDM-Portal-Hybrid-IAM-Loesung-1.png 453w, https:\/\/www.firstware.com\/wp-content\/uploads\/2021\/08\/IDM-Portal-Hybrid-IAM-Loesung-1-300x250.png 300w\" sizes=\"(max-width: 238px) 100vw, 238px\" \/><a href=\"https:\/\/firstware.com\/en\/\">FirstWare IDM-Portal<\/a> from FirstAttribute is an integrated Identity and Access Management (IAM) solution that enables the automated management of users and their authorizations, whether on-premises or in the cloud.<\/p>\n<p>This portal integrates all facets of identity and access management and enables centralized access to identity and directory services.<\/p>\n<p><a href=\"https:\/\/firstware.com\/en\/contact\/\" target=\"_blank\" rel=\"noopener\"><button class=\"ButtonBeratung aligncenter\">Contact us know<\/button><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>How can we check password rules? Do they meet the complexity requirements? This article explains various methods for checking compliance [&hellip;]<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[1835,1836],"tags":[1983,1984,1974,1968],"class_list":["post-46732","post","type-post","status-publish","format-standard","hentry","category-authorization-management-en","category-compliance-en","tag-password-change-en","tag-password-policy-en","tag-password-rules","tag-powershell-en"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.3 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Check password rules - FirstWare IDM-Portal<\/title>\n<meta name=\"description\" content=\"Check Password Rules - Implementation of password complexity rules via IDM-Portal using PowerShell. Skripts inclusive.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Check password rules - FirstWare IDM-Portal\" \/>\n<meta property=\"og:description\" content=\"Check Password Rules - Implementation of password complexity rules via IDM-Portal using PowerShell. Skripts inclusive.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/\" \/>\n<meta property=\"og:site_name\" content=\"FirstWare IDM-Portal\" \/>\n<meta property=\"og:image\" content=\"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png\" \/>\n<meta name=\"author\" content=\"Elysabeth Yven\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Elysabeth Yven\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/\"},\"author\":{\"name\":\"Elysabeth Yven\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/person\\\/1218d4546997de615b845bce65db7493\"},\"headline\":\"Check password rules\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/\"},\"wordCount\":1566,\"publisher\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/Change-a-passwort-1.png\",\"keywords\":[\"password change\",\"password policy\",\"Password rules\",\"PowerShell\"],\"articleSection\":[\"Authorization Management\",\"Compliance\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/\",\"name\":\"Check password rules - FirstWare IDM-Portal\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/Change-a-passwort-1.png\",\"description\":\"Check Password Rules - Implementation of password complexity rules via IDM-Portal using PowerShell. Skripts inclusive.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/#primaryimage\",\"url\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/Change-a-passwort-1.png\",\"contentUrl\":\"https:\\\/\\\/firstware.com\\\/wp-content\\\/uploads\\\/2024\\\/09\\\/Change-a-passwort-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/check-password-rules\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Check password rules\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/\",\"name\":\"FirstWare IDM-Portal\",\"description\":\"Identity and Autorization Management in M365 and Active Directory\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#organization\",\"name\":\"FirstWare IDM-Portal\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/IDM-Portal.ico\",\"contentUrl\":\"https:\\\/\\\/www.firstware.com\\\/wp-content\\\/uploads\\\/2019\\\/06\\\/IDM-Portal.ico\",\"width\":1,\"height\":1,\"caption\":\"FirstWare IDM-Portal\"},\"image\":{\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/#\\\/schema\\\/person\\\/1218d4546997de615b845bce65db7493\",\"name\":\"Elysabeth Yven\",\"url\":\"https:\\\/\\\/www.firstware.com\\\/en\\\/blog\\\/author\\\/elysabeth-yven\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Check password rules - FirstWare IDM-Portal","description":"Check Password Rules - Implementation of password complexity rules via IDM-Portal using PowerShell. Skripts inclusive.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/","og_locale":"en_US","og_type":"article","og_title":"Check password rules - FirstWare IDM-Portal","og_description":"Check Password Rules - Implementation of password complexity rules via IDM-Portal using PowerShell. Skripts inclusive.","og_url":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/","og_site_name":"FirstWare IDM-Portal","og_image":[{"url":"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png","type":"","width":"","height":""}],"author":"Elysabeth Yven","twitter_misc":{"Written by":"Elysabeth Yven","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#article","isPartOf":{"@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/"},"author":{"name":"Elysabeth Yven","@id":"https:\/\/www.firstware.com\/en\/#\/schema\/person\/1218d4546997de615b845bce65db7493"},"headline":"Check password rules","mainEntityOfPage":{"@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/"},"wordCount":1566,"publisher":{"@id":"https:\/\/www.firstware.com\/en\/#organization"},"image":{"@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#primaryimage"},"thumbnailUrl":"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png","keywords":["password change","password policy","Password rules","PowerShell"],"articleSection":["Authorization Management","Compliance"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/","url":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/","name":"Check password rules - FirstWare IDM-Portal","isPartOf":{"@id":"https:\/\/www.firstware.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#primaryimage"},"image":{"@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#primaryimage"},"thumbnailUrl":"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png","description":"Check Password Rules - Implementation of password complexity rules via IDM-Portal using PowerShell. Skripts inclusive.","breadcrumb":{"@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#primaryimage","url":"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png","contentUrl":"https:\/\/firstware.com\/wp-content\/uploads\/2024\/09\/Change-a-passwort-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.firstware.com\/en\/blog\/check-password-rules\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/www.firstware.com\/en\/"},{"@type":"ListItem","position":2,"name":"Check password rules"}]},{"@type":"WebSite","@id":"https:\/\/www.firstware.com\/en\/#website","url":"https:\/\/www.firstware.com\/en\/","name":"FirstWare IDM-Portal","description":"Identity and Autorization Management in M365 and Active Directory","publisher":{"@id":"https:\/\/www.firstware.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.firstware.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.firstware.com\/en\/#organization","name":"FirstWare IDM-Portal","url":"https:\/\/www.firstware.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.firstware.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.firstware.com\/wp-content\/uploads\/2019\/06\/IDM-Portal.ico","contentUrl":"https:\/\/www.firstware.com\/wp-content\/uploads\/2019\/06\/IDM-Portal.ico","width":1,"height":1,"caption":"FirstWare IDM-Portal"},"image":{"@id":"https:\/\/www.firstware.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.firstware.com\/en\/#\/schema\/person\/1218d4546997de615b845bce65db7493","name":"Elysabeth Yven","url":"https:\/\/www.firstware.com\/en\/blog\/author\/elysabeth-yven\/"}]}},"_links":{"self":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/posts\/46732","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/comments?post=46732"}],"version-history":[{"count":0,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/posts\/46732\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/media?parent=46732"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/categories?post=46732"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.firstware.com\/en\/wp-json\/wp\/v2\/tags?post=46732"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}