Skip links

Using Regex to Implement Passphrases in Your Active Directory



Users often create weak and easily guessed passwords they reuse across systems and websites. As a result, traditional passwords are often the weakest link in the security of business-critical authentication systems.

However, the passphrases provide a superior type of password for authentication. They allow humans to create strong passwords they can remember.

Furthermore, you can use regex (regular expression) to effectively help develop solid passphrases and ensure these do not contain weak elements. Let’s see how.

Why passphrases are the superior password format

First of all, what is a passphrase? A passphrase is a much easier way to create a strong and memorable password than a typical password. So, a passphrase is a password that uses a unique technique for its creation. We can best illustrate this with a real-life example of two passwords that would both be considered strong passwords.

Traditional password – l$RhO3M65KJjp
Passphrase – kingbigpossessoreffects

As you can see from the two examples above, both are strong passwords. While it is unlikely that someone could remember the password, the passphrase, while strong, is much more human-readable and memory friendly.

Allowing users to create passphrases in addition to passwords offers the flexibility to use passphrase techniques to create strong and easy-to-remember passwords. It also encourages users to break the mold of using stale, weak and reused passwords across multiple systems.

Active Directory passphrase challenges

With most organizations today using Microsoft’s Active Directory Domain Services as their on-premises identity and access management authentication solution, it creates challenges for admins looking to bolster their password security. It lacks several key elements required for modern password security.

Active Directory password security limitations:

You can’t disallow context-specific passwords
Lacks incremental password blocking
It contains no native breached password detection
Without a custom password filter .DLL, you can’t easily block words in a password dictionary
No way to bolster passphrase support

Let’s focus on the inability to block content-specific words used in passwords. What does this mean? Attackers often use the company name or other relevant words when attempting to brute force passwords or in password-spraying attacks.

For example, if the company name is Wacky Widgets, an attacker would assume that some users would use the word “wacky” or “widgets” as part of their password or passphrase. It is just one example of how an attacker can think like an end-user and potentially crack passwords used in the environment. Additionally, it extends to the company’s specific product names, solutions, or services, as users will likely use these in their company-specific passwords.

Using effective Regex queries in your Active Directory

What is Regex?

Regex is short for Regular Expression. A regex pattern is a sequence of characters that defines a search pattern used to match characters or sections of a text string. These regex patterns can be a powerful way to find and match specific patterns, such as those often found in passwords.

What checks can be made with regex queries against user passphrases in the environment? With regex queries, the possibilities are endless. However, as an example, regex can help identify and filter the following passphrase elements in your Active Directory environment and can be used with custom requirements to define passphrases used in the environment. Here are a few effective regex solutions you can deploy in your Active Directory:

Look-ahead and behind
Block dictionary words
Block consecutive characters
Enforce specific passphrase formatting

Let’s look at these examples of each and see how regex queries can be used to filter each of these elements:

Blocking repetitive characters

A simple way to block repetitive characters is to enclose any character in the parenthesis and match it with the 1 in the following way:


Look-ahead and behind

You can look for a specific set of characters, either ahead or behind a current position in the string, using the following:

Ahead: (?=abc)

Behind: (?!abc)

Block dictionary words

You can effectively use regex to block specific words or strings from passphrases. Using the example above, if we want to block and exclude specific words from passphrases, such as the company name, we can do that using the following:


If you want to block multiple combinations of specific words, you can do that with regex as well. For instance, to exclude multiple combinations of password we could use the following:


Block consecutive characters

If you want to block consecutive characters in passphrases, you can do that using the following regex string:


Enforce specific passphrase formatting

When using passphrases, many organizations will want to enforce specific passphrase characteristics. These may include how many words need to be used in a series and how many characters need to be contained in each word. If we want to match each six-character word, we can do that with the following:


The following will match a six-character word followed by one space:


If you want to allow upper and lowercase characters in three words and then allow using numeric, special, and all cases in the passphrase, you can do that with the following:


How Specops Password Policy uses regex

As we know, Active Directory is limited in the tools and capabilities natively provided to prevent users from using dangerous password elements. While you can use a custom password filter .dll, this requires development experience and the lifecycle maintenance necessary for maintaining the solution.

Specops Password Policy is a robust password security solution that bolsters the native abilities of Active Directory with additional capabilities, allowing organizations to implement modern password security recommendations.

Not only does Specops Password Policy allows organizations to effectively implement and encourage the use of passphrases in the environment, it also allows using the power of regex to create powerful password filtering in Active Directory to match patterns or phrases that are weak or vulnerable, without so much manual code.

Specops Password Policy allows users to use strong passwords, passphrases, or both.

Specops Password Policy allows creating policies with passwords and passphrases
Source: Specops

When using passphrases in the environment, admins may want to exclude certain elements from use in passphrases created by users.

For example, admins can use regular expressions to exclude specific passphrase components and enforce certain characteristics on the passphrase configuration tab.

Using Regular expressions with Specops Password Policy to bolster passphrases
Source: Specops

The custom requirements section can house various regex queries to enforce and exclude passphrase elements from use in the organization.

Using passphrases and regex in your AD moving forward

Passphrases provide a superior way to create strong passwords in the environment. Their strength comes from the length and unique identity of the passphrase. However, admins still want to be able to control and exclude certain terms or words from passphrases for increased security.

These custom parameters around passphrases can be accomplished using regex queries. Specops Password Policy provides robust tools and capabilities to bolster the use of strong passwords and passphrases in the environment, including using regex to require or exclude certain passphrase elements.

Learn more about Specops Password Policy, or try it for free in your Active Directory with a trial account, anytime.

Sponsored and written by Specops Software

Adblock test (Why?)