AD is configured with a default domain password policy. To view the password policy:
The maximum length of a password supported by AD is 256 characters. However, the maximum length of a password that a human user could actually type to log into Windows is 127 characters (the limitation is in the Windows GUI).
Password policies are used to configure how passwords should behave in the system. By default AD applies preset restrictions. Microsoft recommends the following default policy settings:
Passwords stored in AD are hashed. Meaning that once the user creates a password, an algorithm transforms that password into an encrypted output known as a “hash”. Hashes are of fixed size so passwords of different lengths will have the same number of characters. They are designed to be one-way encryption so that once they are coded, no one should be able to break that code (theoretically).
The passwords are not salted in AD. They’re stored as a one-way hash. Hashing, primarily used for authentication, is a one-way function where data is mapped to a fixed-length value. Salting is an additional step during hashing, typically seen in association with hashed passwords, that adds an additional value to the end of the password that changes the hash value produced. However, a motivated hacker will be able to easily crack even hard hashes with salt when the user has chosen a very common password.
By default, the domain members have to submit a password change every 30 days. However, admins have the ability to shorten or lengthen this range.
Yes, you can check the Last Password Changed information for a user account in AD. The information for the last password changed is stored in an attribute called “PwdLastSet”. You can check the value of “PwdLastSet” using the Microsoft “ADSI Edit” tool.