20 October 2016
As others are saying, I’d start looking into using Windows 10 + ADFS 2016 + AD 2016 and look at implementing MFA. Skip entirely by using passwords. Do it through
attrition. Get the back office infrastructure set up, and slowly migrate end users over in time.
Some things I’d recommend:
Disable password complexity requirements
Increase password length requirements (2 chars ^ 10 minimum keyspace is > 10 chars ^ 2 minimum keyspace)
Increase the longevity of passwords on the environment. Don’t make your users change their password every 60 days. Move it to 180 or 365.
Enable logging/correlation of all access on WebApps, Domain Controllers (use a good audit tool)
There’s a pretty good solid chance that password complexity is the least of the worries on your environment. I wouldn’t spend any money on tools that fix that.
I’d invest the money in more capable technologies and better security.
PS: I work for a large Enterprise. We’re going the ADFS + Password For Work + Windows 10 route.