Despite the fact that hackers often breach organizational networks by leveraging a compromised password, many organizations still allow employees to set weak passwords that are easy to guess. Weak passwords are still the norm, and bad practices like reusing passwords or using usernames as passwords are rampant. Password statistics from 2019 depict worrying figures on poor password hygiene:

Verizon reports that compromised passwords were responsible for
81 percent of hacking-related breaches.
The top five most commonly used passwords of 2019 were:
  •  123456 (23.2m)
  •  123456789 (7.7m)
  •  qwerty (3.8m)
  •  password (3.6m)
  •  111111 (3.1m)
Over 44 million Microsoft users were vulnerable to account compromise, as they employed passwords that have already been leaked.

Your download is in progress and it will be complete in just a few seconds! If you face any issues, download manually here

Improve password security with ADSelfService Plus!

Please enter business email address
  • By clicking 'Download', you agree to processing of personal data according to the Privacy Policy.

Password strength contributes to
data security

Exposure of even a single employee password can jeopardize the security of organizational data. Data breaches not only cost organizations their revenue and reputation, but can also lead to legal ramifications. Since passwords are our first line of defense against cyberattacks, they must be chosen carefully. Ensuring employees create strong passwords for their business accounts is the first step towards data security. Strong passwords are difficult to compromise and help prevent hijacked accounts and data leaks.

Pillars of password strength

Use the below factors as a guide to ensure employees create strong passwords:


    Create a password that uses all character types—uppercase and lowercase letters, numbers, and symbols.

    Adequate length

    Maintain a formidable password length. Microsoft recommends a minimum password length of eight characters.


    Setting common words like password and admin should be avoided.

    No patterns

    Avoid common patterns like 12345 and qwerty. Palindromes are also better left out.

    No dictionary words

    Steer clear of using organization-related words like company names or number sequences like employee IDs as passwords.

    Minimized repetition

    Avoid reusing a password multiple times for the same account or using passwords that are similar to usernames.


Passphrases are a good alternative to passwords. They are longer and easier to remember.

Enforcing secure
passwords through
password policies

While complying with the guidelines mentioned above can help create strong passwords that are resistant to hacks, making sure your organization's employees follow them can be quite the task. Enforcing password policies helps admins achieve this and helps meet regulatory compliance. Password policies are rules that, when enforced during password change and password reset, permit the creation of passwords only when all the guidelines are adhered to.

Custom password policy enforcer for Active Directory and cloud applications.

Download your free trial today!

Active Directory
password policy

Active Directory provides domain password policies that help admins mandate parameters like complexity, length, and age of the domain passwords. The password policy is created by configuring policy settings according to the organization's security stance. These settings are:

Password history

Set the number of new passwords that must be used before an old password can be reused.

Maximum password age

Specify the maximum time that a password can be used before a change is mandated.

Minimum password age

Set the minimum amount of time that a password has to be used for before it can be changed.

Minimum password length

Mandate the minimum number of characters that the password must contain.

Passwords must meet complexity requirements:

The following rules must be complied with to satisfy this setting:

  •  Should not contain the user’s account name or parts of the user’s full name exceeding two consecutive characters in common.
  •  Be at least six characters in length.
  •  Contain characters from three of the four character types (uppercase and lowercase letters, numbers, and symbols).

Fine-grained password policies

Active Directory also offers Fine-Grained Password Policies (FGPPs). These policies can be, as the name suggests, configured on a granular level for specific sets of users. FGPPs are composed of the same five settings as domain password policies. Here are some differences between the two:

Domain passwords policies
  • There can only be one domain password policy for all the users in a single domain.
  • Domain password policies are created in Group Policy Objects.
  • Separate domain password policies need to be created for different domains.
Fine-Grained Password Policies
  • Multiple FGPPS can be applied to groups of users in a single domain.
  • FGPPS are created using Password Setting Containers.
  • More than one group can fall under a single FGPP.

The pitfalls of Active Directory
password policies

Although domain password policies and FGPPs help ensure that domain users uphold strong password creation and regular password updates, they come with their own set of challenges.

  •  They cannot be applied to specific OUs.
  •  Dictionary words, patterns, and palindromes cannot be restricted.
  •  Consecutive repetition of the same character cannot be prevented.
  •  The Password must meet complexity requirements policy setting cannot be customized to specify the number of characters that must be used for a certain character type.
  •  The password policy cannot be enforced during password reset by admins in the ADUC.

How ADSelfService Plus goes a step further

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution. It offers the Password Policy Enforcer feature that allows admins to create and enforce custom password policies for Active Directory and cloud application passwords.

The password policies can be created by configuring the required policy rules from the list provided. The rules are offered to ensure the passwords created by employees are secure according to four factors:

  • Characters
  • Patterns
  • Repetition
  • Length
  •  Specify the number of uppercase and lowercase letters, numerals, and symbols that must be included.
  •  Specify the character type the password must begin with.
  •  Mandate the inclusion of Unicode characters.
  •  Restrict the use of palindromes.
  •  Prevent the use of dictionary words and patterns from a customizable list.
  •  Restrict character repetition.
  •  Prevent the use of consecutive characters from usernames and old passwords.
  •  Specify both the minimum and maximum password lengths allowed.


Fine-grained application

Custom password policies can be applied to users belonging to specific domains, OUs, and groups. Different password policies can be applied to particular applications as well.


Password policies that help comply with password requirements for regulations like NIST, CJIS, PCI DSS, and HIPAA.

Password strength analyzer

This meter depicts how strong the user's password is during creation.

Universal password policy

The password policy created can be enforced during password changes using the Ctrl+Alt+Del portal and password resets using the ADUC console. Password policies can also be applied for accounts of enterprise applications.

Password policy display

The password policy requirements will be displayed during password changes and resets.

Other password security features offered

Integration with Have I Been Pwned?

ADSelfService Plus' integration with Have I Been Pwned?—the service that compiles and updates databases of exposed credentials—prevents employees from using passwords that have previously been exposed.

Weak passwords report

This tool helps you find weak passwords in Active Directory by comparing users’ passwords against a list of over 100,000 commonly used weak passwords. When it finds a match, the report will display the users' details. You can then force a password change for these employees.

Password audits

ADSelfService Plus offers reports that audit password-based actions like password resets and changes performed by the user. Detailed information like the time of the action and device from which it was performed is stored as well.

While creating strong passwords can contribute to data security, including additional authentication methods through multi-factor authentication can further strengthen system and network security. ADSelfService Plus helps secure local and remote access to endpoints and enterprise applications through multi-factor authentication.

Customer Testimonials

  • Now users do not have to travel to the office to perform Active Directory Password Reset. Helpdesk calls related to password reset have been reduced by 100%

    - Chris Jackson,
    Systems Administrator, TXP Corporation.
  • Other options, were requiring a modification of the Active Directory schema, I liked that ADSelfService Plus did not. The ability to ‘brand’ the tool to our School was also important

    - Robert Peterson,
    Technical Support Manger, The Principia.
  • The deployment is very simple, which makes it nearly fun. We didn’t find any other software which is that fast in deployment like ADSelfService Plus. The Instructions are clear and straight forward; the support is working great

    - Matthias Ziolek,
    Manager, Landratsamt Schwarzwald-Baar-Kreis.
  • IT is not spending time on resetting passwords and changing personal details on AD anymore. It's taken care by ADSelfService Plus.

    - Erdem Aksoy,
    Chief ITSM at CIMTAS Group.
  • ADSelfService Plus is a tool that we consider indispensable. It is the right tool for the job. Any company that relies on Active Directory authentication with password expiry will benefit from using it.

    - Chris Jackson,
    Systems Administrator, TXP Corporation.
  • ADSelfService Plus is good turnkey solution. It forcing users to update AD. Other systems depend on this updates, such as VoIP systems, SharePoint. Also reduction in calls logged for password reset.

    - Sugan Moodley,
    Service Delivery Manager, Datacentrix Services.
  • This deployment was extremely simple and cost-effective. Installation was completed within a matter of minutes. Configuration was simple. Your support team is always there every step of the way whenever we needed a hand. We feel that the time saved from having to have a technician reset passwords will be a good return on investment.

    - Patrick Hong,
    Helpdesk Manager, National Veterinary Associates.
Download Now  
© 2020, Zoho Corporation Pvt. Ltd. All Rights Reserved.