AlphaONE Operations

"We're fine with our 8-character minimum and complexity rules."
That's a statement that's showing up as a finding in 2026 security audits.
Both NIST SP 800-63B Rev 4 (2025) and Microsoft's 2025 Security Baselines have done away with forced complexity requirements and scheduled password resets. Today's standard sets the minimum at 15 characters for accounts without a second factor, or 14 characters when MFA is active. The days of 8-character passwords being acceptable are behind us.
We took the password policy remediation advice from every Active Directory pentest report we deliver and consolidated it into a single playbook. Give it to your helpdesk. Hand it to your GRC team. It's the same process we walk every client through after we've compromised a domain.
The most important thing in the playbook: get MFA deployed everywhere before you change a single password length or expiration setting. Everything else hinges on whether MFA is in place, because both NIST and Microsoft explicitly allow lighter password requirements when a strong second factor is present.
The steps below are ordered — that order is not optional:

Universal MFA (RADIUS / NPS / Entra ID).
Banned-password list enabled (Specops, nFront, or Azure AD Password Protection).
Minimum length increased — 14 chars with MFA, 15 chars without.
Complexity rules removed (only once steps 1–3 are done).
Password expiration removed (only once steps 1–3 are done); reset on breach stays permanent.
Service accounts migrated to gMSA.
Fine-Grained Password Policies applied to privileged accounts (minimum 20 characters).
SIEM alerting configured for events 4662, 4769, 4768, 4624, 4625, 4740, 4928, 4929, 5136.

Cut corners on the sequence, and you leave the domain weaker than before. Turn off complexity without first raising the length floor and activating a ban list, and your next pentest will crack more passwords, not fewer.
The full playbook — covering both on-prem AD and Entra ID, with framework mappings for auditors (NIST 800-53, NIST CSF 2.0, CIS Controls v8.1, CIS Windows Benchmark, ISO/IEC 27001:2022, Microsoft Security Baselines, and MITRE ATT&CK M1027/M1032/M1018) — is in the comments.
Where is your environment getting stuck?

Can AI fix health problems you didn’t even know you had? Several researchers are trying to find that out (https://bit.ly/3wg8HPW).

Planning to beef up your cybersecurity solutions this year? Check out these important tips on what to look for when vetting new security platforms (https://tinyurl.com/3eu6py3y).

If you’re a leader at a small or mid-sized business, here are three top cybersecurity trends you’re going to want to know about (https://tinyurl.com/2vydd3ew).

Attending school online has been a thing for a while now, but what about attending in the Metaverse? A new VR high school is being launched which will be just the beginning of a whole new way to learn (https://tinyurl.com/ynfs8saa).