M1027: Password Policies
Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:
Windows Systems:
- Use Group Policy Management Console (GPMC) to configure: - Minimum password length (e.g., 12+ characters). - Password complexity requirements. - Password history (e.g., disallow last 24 passwords). - Account lockout duration and thresholds.
Linux Systems:
- Configure Pluggable Authentication Modules (PAM): - Use `pam_pwquality` to enforce complexity and length requirements. - Implement `pam_tally2` or `pam_faillock` for account lockouts. - Use `pwunconv` to disable password reuse.
Password Managers:
- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.
Password Blacklisting:
- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.
Regular Auditing:
- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.
*Tools for Implementation*
Windows:
- Group Policy Management Console (GPMC): Enforce password policies. - Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.
Linux/macOS:
- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules. - Lynis: Audit password policies and system configurations.
Cross-Platform:
- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords. - Have I Been Pwned API: Prevent the use of breached passwords. - NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
Analyst context for executives and security teams
Password Policies (M1027) matter because weak, reused, default, or previously breached passwords turn credential theft into business-wide access. In ATT&CK, this mitigation is tied to credential dumping, brute force, valid account abuse, remote services, software deployment tools, forced authentication, and password policy discovery. For leaders, the decision value is not whether a policy exists on paper, but whether it is enforced consistently across domain, local, Linux/macOS, cloud, SaaS, privileged, service, and default accounts where applicable.
Executive priority
Treat password policy as an identity resilience control and an audit-evidence item, not just an IT setting. Prioritize proof that password length, complexity, history, lockout thresholds, breached-password blocking, password manager use, and local administrator password controls are actually enforced. The highest business value is reducing the chance that one dumped, guessed, cracked, sprayed, stuffed, or reused password enables lateral movement, privilege escalation, or persistent access through valid accounts and remote services.
Technical view
SOC, IAM, IR, and detection engineering teams should validate enforcement and evidence collection around the ATT&CK relationships: T1003 OS Credential Dumping and sub-techniques, T1078 Valid Accounts and sub-techniques, T1110 Brute Force and sub-techniques, T1021 Remote Services, T1072 Software Deployment Tools, T1187 Forced Authentication, and T1201 Password Policy Discovery. The official object does not provide detection logic, so coverage should focus on configuration assurance plus authentication telemetry. Validate Windows Group Policy settings, Linux PAM controls such as password quality and lockout modules, password reuse prevention, enterprise password manager adoption, breached-password blacklist checks, and periodic auditing with tools such as LAPS and vulnerability scanners where used.
Likely telemetry
- Windows Group Policy password and account lockout configuration evidence
- Linux PAM configuration and audit results for password quality, reuse prevention, and lockout behavior
- Authentication success, failure, and lockout logs across identity providers, domain services, remote services, SaaS, IaaS, and local systems where available
- Password reset, password change, and policy exception records
- Password manager enrollment and usage compliance evidence
Detection direction
- Because ATT&CK provides no official detection for this mitigation, validate control-state monitoring rather than relying on a single alert rule.
- Tune brute-force and password-spraying analytics to distinguish repeated failures against one account from low-and-slow attempts across many accounts, while accounting for legitimate help desk, application, and user error patterns.
- Correlate authentication anomalies with policy weaknesses such as default accounts, local account reuse, missing lockout thresholds, weak minimum length, or lack of breached-password blocking.
- Review password policy discovery activity in context: administrative checks can be legitimate, but unexpected discovery preceding authentication failures may raise priority.
- Confirm visibility for remote services, identity providers, cloud accounts, domain accounts, local accounts, and privileged/service accounts; gaps here can make policy enforcement appear stronger than it is.
Mitigation priorities
- Start with an inventory of account types: domain, local, default, privileged, service, cloud, SaaS, and remote-access accounts.
- Enforce strong baseline settings: minimum length, complexity where required, password history, lockout duration, and lockout thresholds.
- Reduce reuse and known-weak password risk through password history controls, password managers, and compromised-password or NIST-aligned blacklist checks.
- Harden privileged and local administrator accounts with unique, rotated passwords using controls such as LAPS where applicable.
- Audit policy implementation periodically using configuration reviews, vulnerability scanners, and account-configuration checks; preserve results as compliance evidence.
Analyst notes and limits
This mitigation is broadly relevant to identity security because the related techniques include credential dumping, valid account abuse, brute force, password spraying, credential stuffing, remote service access, and abuse of centralized software deployment tools. It is especially useful as a control validation topic for managed detection, incident response readiness, IAM governance, cloud/SaaS account hygiene, and compliance evidence. Password policy should be evaluated alongside local evidence of enforcement, exceptions, and telemetry coverage.
The ATT&CK object is a mitigation and provides no official detection section, no explicit tactics, and no platform field for the mitigation itself. Platform references come from the mitigation description and related techniques, so local environment scoping is required. This summary does not assert active exploitation, attribution, or guaranteed prevention/detection.
Password Policies
Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:
Windows Systems:
- Use Group Policy Management Console (GPMC) to configure: - Minimum password length (e.g., 12+ characters). - Password complexity requirements. - Password history (e.g., disallow last 24 passwords). - Account lockout duration and thresholds.
Linux Systems:
- Configure Pluggable Authentication Modules (PAM): - Use `pam_pwquality` to enforce complexity and length requirements. - Implement `pam_tally2` or `pam_faillock` for account lockouts. - Use `pwunconv` to disable password reuse.
Password Managers:
- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.
Password Blacklisting:
- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.
Regular Auditing:
- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.
*Tools for Implementation*
Windows:
- Group Policy Management Console (GPMC): Enforce password policies. - Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.
Linux/macOS:
- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules. - Lynis: Audit password policies and system configurations.
Cross-Platform:
- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords. - Have I Been Pwned API: Prevent the use of breached passwords. - NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1599.001 | Network Address Translation Traversal Sub-technique | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | Ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Cloud service providers may track access key age to help audit and identify keys that may need to be rotated.CitationAWS - IAM Console Best Practices |
| Enterprise | T1556.005 | Reversible Encryption Sub-technique | Ensure that |
| Enterprise | T1552.002 | Credentials in Registry Sub-technique | Do not store credentials within the Registry. |
| Enterprise | T1550.003 | Pass the Ticket Sub-technique | Ensure that local administrator accounts have complex, unique passwords. |
| Enterprise | T1552.004 | Private Keys Sub-technique | Use strong passphrases for private keys to make cracking difficult. |
| Enterprise | T1558.002 | Silver Ticket Sub-technique | Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.CitationAdSecurity Cracking Kerberos Dec 2015 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.CitationAdSecurity Cracking Kerberos Dec 2015 |
| Enterprise | T1599 | Network Boundary Bridging | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1003.003 | NTDS Sub-technique | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.CitationAdSecurity Cracking Kerberos Dec 2015 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.CitationAdSecurity Cracking Kerberos Dec 2015 |
| Enterprise | T1078 | Valid Accounts | Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.CitationUS-CERT Alert TA13-175A Risks of Default Passwords on the Internet When possible, applications that use SSH keys should be updated periodically and properly secured. Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources. |
| Enterprise | T1552 | Unsecured Credentials | Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files. |
| Enterprise | T1110.004 | Credential Stuffing Sub-technique | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1110.002 | Password Cracking Sub-technique | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1550 | Use Alternate Authentication Material | Set and enforce secure password policies for accounts. |
| Enterprise | T1187 | Forced Authentication | Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained. |
| Enterprise | T1003.006 | DCSync Sub-technique | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1556 | Modify Authentication Process | Ensure that |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1558.004 | AS-REP Roasting Sub-technique | Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting. CitationAdSecurity Cracking Kerberos Dec 2015 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1072 | Software Deployment Tools | Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. |
| Enterprise | T1003 | OS Credential Dumping | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1078.003 | Local Accounts Sub-technique | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1003.007 | Proc Filesystem Sub-technique | Ensure that root accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1003.008 | /etc/passwd and /etc/shadow Sub-technique | Ensure that root accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1078.001 | Default Accounts Sub-technique | Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. CitationUS-CERT Alert TA13-175A Risks of Default Passwords on the Internet |
| Enterprise | T1601 | Modify System Image | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1555.001 | Keychain Sub-technique | The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password. |
| Enterprise | T1563.001 | SSH Hijacking Sub-technique | Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. |
| Enterprise | T1563 | Remote Service Session Hijacking | Set and enforce secure password policies for accounts. |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | Implement and enforce strong password policies for domain accounts to ensure passwords are complex, unique, and regularly rotated. This reduces the likelihood of password guessing, credential stuffing, and other attack methods that rely on weak or static credentials. |
| Enterprise | T1555 | Credentials from Password Stores | The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password. Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations. |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1558 | Steal or Forge Kerberos Tickets | Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.CitationAdSecurity Cracking Kerberos Dec 2015 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.CitationAdSecurity Cracking Kerberos Dec 2015 |
| Enterprise | T1110 | Brute Force | Refer to NIST guidelines when creating password policies.CitationNIST 800-63-3 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers. |
| Enterprise | T1601.002 | Downgrade System Image Sub-technique | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
| Enterprise | T1201 | Password Policy Discovery | Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory ( |
| Enterprise | T1021 | Remote Services | Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. |
| Enterprise | T1555.005 | Password Managers Sub-technique | Refer to NIST guidelines when creating password policies for master passwords.CitationNIST 800-63-3 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Establish an organizational policy that prohibits password storage in files. |
| Enterprise | T1601.001 | Patch System Image Sub-technique | Refer to NIST guidelines when creating password policies. CitationNIST 800-63-3 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a9d930cbe6b0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack M1027Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.