Getting started with Lithnet Password Protection - Part 3 - Rewarding password length over complexity

Password complexity requirements can be frustrating. It comes as no surprise that the current NIST guidelines recommend doing away with them altogether. There was no way I was getting approval to do that across the board in my organization, but I could make the case for having less stringent requirements on longer passwords. Lithnet Password Protection for Active Directory (LPP) has a built-in policy to do exactly this. You can define up to 3 password-length thresholds, each with their own complexity requirements. In my organization, we still have the usual '3 out of 4' character set policy in place for passwords less than 13 characters in length. However, we decided that passwords over 13 characters would have no special requirements. You'll need to determine what rules are appropriate for your organization. Use resources such as https://howsecureismypassword.net/ to help you gauge the relative strength of passwords based on length and character sets, and come t