3.1.1.7.2 Cleartext Password Policy

  • Article

This constraint is referenced when a cleartext password is updated.

The following constraints MUST be satisfied; on error, the server MUST return a processing error. For more information on error codes, see section 3.1.5.

  1. The value MUST be interpreted as a UTF-16 encoded string. If the length of the value is an odd-byte count, ignore the final byte, interpret the remaining characters as a UTF-16 encoded string, and ignore the last constraint (starting with the text "If the Effective-PasswordComplexityEnabled value...").

  2. The value MUST be less than or equal to 256 characters (this constraint is called the "maximum password length constraint").

  3. The value MUST satisfy all of the following constraints if all of the following conditions are met:

    1. Conditions:

      1. The userAccountControl attribute value contains UF_NORMAL_ACCOUNT.

      2. objectSid does not have the DOMAIN_USER_RID_KRBTGT value as the RID.

      3. userAccountControl does not contain UF_PASSWD_NOTREQD.

    2. Constraints:

      1. The number of characters in the value MUST not be smaller than the value of the Effective-MinimumPasswordLength attribute (see section 3.1.1.5). This constraint is called the "minimum password length constraint".

      2. The value MUST NOT contain the sAMAccountName attribute value as a case-insensitive substring if that value contains more than two characters.

      3. The value MUST NOT contain any case-insensitive portion of the displayName attribute value that is greater than two characters and delimited by one or more of the following characters.

        Hexadecimal value

        Character encoded

        0x0020

        [SP]

        0x002c

        ,

        0x002e

        .

        0x0009

        [HT]

        0x002d

        -

        0x005f

        _ (underscore)

        0x0023

        #

      4. If the Effective-PasswordComplexityEnabled value (see section 3.1.1.5) is set, the password MUST contain characters from at least three of the following five classes:

        1. English uppercase letters: characters 0x41 to 0x56, inclusive.

        2. English lowercase letters: characters 0x62 to 0x7a, inclusive.

        3. Westernized Arabic numerals: characters 0x30 to 0x39, inclusive.

        4. Any character from [UNICODE3.1] that is categorized as Lu, LI, Lt, Lm, Lo.

        5. The following characters.

          Hexadecimal value

          Character encoded

          0x0028

          (

          0x0060

          `

          0x007e

          ~

          0x0021

          !

          0x0040

          @

          0x0023

          #

          0x0024

          $

          0x0025

          %

          0x005e

          ^

          0x0026

          &

          0x002a

          *

          0x005f

          _ (underscore)

          0x002d

          -

          0x002b

          +

          0x003d

          =

          0x007c

          |

          0x005c

          \

          0x007b

          {

          0x007d

          }

          0x005b

          [

          0x005d

          ]

          0x003a

          :

          0x003b

          ;

          0x0022

          "

          0x0027

          '

          0x003c

          <

          0x003e

          >

          0x002c

          ,

          0x002e

          .

          0x003f

          ?

          0x0029

          )

          0x002f

          /