Protecting Active Directory (AD) accounts starts with strong password policies, backed by consistent enforcement across the organization. However, make the rules too weak and you increase your attack surface; make them too strict and users will find workarounds, such as writing passwords down, reusing them across systems, or adding a predictable “!” to the end of the last version.
The challenge is enforcing modern, resilient password standards that avoid increasing helpdesk tickets or frustrating the people you’re trying to protect. However, with the right approach, you can strengthen your AD password posture and make life easier for users at the same time.
Adopt passphrases over complex passwords
Traditional password complexity rules are frustrating, and do not provide the protection needed for today’s threat landscape. When people are forced to include symbols, numbers, and mixed cases, they tend to fall back on memorable, but guessable, options like Password!2026.
A better approach is to prioritize length over complexity with passphrases. Longer passwords made up of multiple words are easier to remember and significantly harder to crack. NIST recommends allowing passwords up to 64 characters.








