Password Policy Recommendations for 2020

We commonly receive a questions similar to what we recommend for a password policy or what our customers are currently doing for their organization’s password policy after deploying password blacklisting.  Well, here’s Password RBL’s recommendation from 2019 (and still holds true today) and unsurprisingly, it’s also what many of our customers are doing, too.

While these recommendations are specific to Windows/Active Directory and Password Firewall, the same concepts can be applied to our API customers protecting a website or app.

Password Policy settings:

  • Change the AD password policy to be a single, easy to understand, policy for the whole organization
  • Set a longer minimum length requirement (commonly 10 or 12 characters)
  • Enforce Password History of 24 (so people cannot use a previously chosen password)
  • Minimum Password Age (typically 1 day to avoid people continually changing passwords to defeat the history requirement)
  • Complexity requirements disabled (use a Password Firewall feature instead)
  • Maximum Password Age is increased (commonly 180 days or 1 year)  <- end-users love this!


Password Firewall settings:

  • Enable Required Character Sets option (commonly 2 or 3) – this replaces the AD password complexity requirement
  • Populate and use the custom blacklist feature (optional)
  • Optionally also query the Pwned Passwords blacklist (in addition to the Password RBL curated blacklist)
  • Enable Password Double-Check (eliminates end-users simply adding digits to the end of bad passwords)


After doing this, organizations can be confident that their employees are choosing strong passwords. Yes, users will need to update their password in 180 days or 1 year, but this is not very inconvenient and when they do, their password choice is scrutinized against blacklists again (to catch any passwords that have since been added to the blacklists).

Now, these organizations have an easy to understand password policy with a good length requirement (10+ characters), easy to meet complexity requirements, and they know that all the passwords in their Active Directory have already been scrutinized against up to 3 blacklists.  Therefore, even if the business is hit by a credential stuffing/password spray attack, which will probably happen, it will not be successful.