Being aware of what are the rules enforced by password policies can greatly help us avoid an account lockout while performing a Password Spray attack.
There are various ways to get the password policy, both from Windows and Linux.
Built-in Windows methods #
net accounts
The output looks like this:
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): Unlimited
Minimum password length: 8
Length of password history maintained: 3
Lockout threshold: Never
Lockout duration (minutes): 10
Lockout observation window (minutes): 10
Computer role: WORKSTATION
The command completed successfully.