> For the complete documentation index, see [llms.txt](https://capcap-1.gitbook.io/capcap/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/password-policies.md).

# Password Policies

### What a password policy is

A password policy defines how users create, store, manage, and transmit passwords.

It has two required parts:

| Component       | What it means                                |
| --------------- | -------------------------------------------- |
| **Definition**  | Rules and expectations for password creation |
| **Enforcement** | Technology that ensures compliance           |

Both matter.

Rules without enforcement fail.

***

### Common standards

Use standards as a baseline.

Do not treat compliance as the security goal.

| Standard                      | Notes                                                     |
| ----------------------------- | --------------------------------------------------------- |
| **NIST SP 800-63B**           | Modern guidance. Recommends disabling routine expiration. |
| **CIS Password Policy Guide** | Baseline security controls.                               |
| **PCI DSS**                   | Compliance-focused. Required for payment environments.    |

> Compliance alone does not equal security.

***

### Password expiration debate

Older guidance pushed forced password changes every 60 to 90 days.

Modern guidance treats that as weak by default.

Forced rotation often creates predictable patterns.

#### Example

```
Initial attempt:  password123       → REJECTED
Sets:             Inlanefreight01!  → ACCEPTED
After rotation:   Inlanefreight02!  → ACCEPTED
```

The policy is enforced.

The password is still easy to predict.

Routine expiration is now commonly disabled unless a compromise is confirmed.

***

### Sample password policy

An example policy may require:

* 8 or more characters
* Uppercase and lowercase letters
* At least one number
* At least one special character
* No username in the password
* Password change every 60 days

#### Blacklisted words

Always block common weak patterns such as:

* Company name and close variations
* Month names, season names, and common business words
* `password`, `123456`, `abcde`, and similar values

***

### Enforcing the policy

#### Technical enforcement

```
Active Directory → Group Policy Object (GPO) → Password Policy settings
```

#### Operational follow-up

1. Communicate the policy to users.
2. Apply it everywhere.
3. Include apps, identity providers, and local accounts.

***

### Creating a strong password

#### Method 1 — Generated password

```
CjDC2x[U
```

This is strong.

It is also hard to remember without a password manager.

#### Method 2 — Passphrase

```
The name of my dog is Popy
The name of my dog is Popy!
```

Long passphrases are easier to remember.

They are often stronger than short complex passwords.

> Use phrases you can remember, then add extra complexity if needed.

Avoid phrases attackers can guess through OSINT.

Personal names, pets, birthdays, and public habits are common targets.

#### Tools

| Tool                    | Purpose                           |
| ----------------------- | --------------------------------- |
| **PasswordMonster**     | Check password strength.          |
| **1Password Generator** | Generate secure random passwords. |

***

### Key takeaways

* Policy alone is not enough. It must be enforced.
* Forced rotation often creates `Password01` style patterns.
* Blacklists matter because attackers test company-specific words.
* Passphrases improve both strength and memorability.
* Password managers help users keep strong unique passwords.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://capcap-1.gitbook.io/capcap/readme/ctf-modules/exploitation/password-attacks/password-policies.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
