For years, many businesses have relied on The Top Five Tenets of a Good Password Policy to protect their user accounts. However, traditional password policy settings are no longer enough to protect against today’s threats. A strong password policy is essential to keeping your passwords secure. Organizations that want to protect their business from credential theft and data breaches should give careful consideration to their password policy.
Best Principles and Practices of a Good Password Policy
In order to ensure the security of your organization’s passwords, it is important to implement a good password policy. Here are the top five tenets of a good password policy:
1. Account lockout threshold
Related Post: organization’s policies are preventing
The account lockout threshold is a password policy setting that determines the number of failed login attempts before an Active Directory user account is locked out. The NIST Special Publication 800-63B Digital Identity Guidelines document states that this setting can help to protect accounts from compromise.
Helpdesk teams can be burdened by locked accounts, especially when the workforce is remote. A self-service system for end-users to reset passwords can reduce the helpdesk’s burden and give end-users quicker resolution.
2. Minimum password length
The minimum password length is a security measure that defines the shortest length a password can be. password length is important for security because a longer password is more difficult to guess. The recommended minimum password length by the National Institute of Standards and Technology (NIST) is 8 characters.
Organizations can also implement solutions to reward users who choose longer passwords with more extended thresholds before requiring a password change. This concept, called length-based aging, can promote users choosing longer passwords, increasing security.
3. Breached password protection
Attackers are using new techniques to compromise end-user accounts in Active Directory. This includes using databases of breached passwords found on the dark web and using these “breached passwords” in credential stuffing or “alphabet” style attacks on user accounts.
When it comes to passwords, most of us think alike – trying to set ones that meet the system administrator’s complexity guidelines, but are also easy to remember. This similarity in thinking can lead to password compromise.
Two users in different organizations who have the same password may find their accounts compromised if one of the passwords is leaked in a data breach. This is why it is important to have different passwords for different accounts and to change them regularly.
NIST is recommending a forced password change ONLY when there is evidence of compromise. This guidance implies some form of breached password protection.
The key for modern password policies is to enforce protection against breached passwords. Even if the passwords are complex, breached passwords can easily compromise high-level accounts.
4. Custom password dictionary
A good password policy will also have a custom password dictionary. This is a list of passwords that are not allowed, such as variations of the company name. This helps to keep people from using easily guessed or easily hacked passwords.
Attackers will often use variations of the business name and other words associated with an organization to “think like the user” and guess passwords they may have chosen to use. A custom dictionary creates what is known as a password filter in Active Directory that rejects passwords that exist in the list.
Active Directory password filters are difficult to implement and require expert development skills to produce the necessary .dlls. Azure Active Directory password filtering is also limited in functionality, leaving organizations vulnerable to common password attacks. Third-party solutions are necessary to properly implement password filtering and protect against these attacks.
5. Password history
The password history setting determines how many passwords a user cannot reuse when changing their password. This prevents a user from simply resetting their password to their previous password at the next interval.
Again, Active Directory’s native functionality is limited when it comes to remembering passwords and blocking incremental password usage. A third-party solution is required to effectively block against incremental password use in the environment.
Modern password policies require a third-party solution
Active Directory cannot natively implement breached password protection. However, custom password filters can be used and implemented in Active Directory using a password filter .dll. This requires development expertise and continual maintenance. Therefore, it is necessary to use a third-party solution for organizations that want to meet password policy security challenges.
The Specops Password Policy is a robust solution that allows organizations to meet the top 5 tenets of a good password policy, as discussed, and many others. In addition, Specops Password Policy integrates with Active Directory Group Policy settings. So, it fits in seamlessly with existing policies that organizations have in place.
If you’re looking for ways to better protect your Active Directory passwords, Specops Password Policy can help. With just a few clicks, you can implement password protection measures that are either non-existent in Active Directory or difficult to do on your own.
The Specops Password Policy module provides an easy way to implement breached password protection that goes beyond leaked lists. Specops Breached Password Protection blocks the use of over 2 billion compromised passwords, including ones used in real attacks today or are on known breached password lists, making it easy to comply with industry regulations such as NIST or NCSC.
Our researchers’ password attack monitoring data collection systems are updated daily to keep networks protected from real-world attacks happening right now. The Breached Password Protection service blocks these banned passwords in Active Directory with customizable end-user messaging that helps reduce calls to the service desk.
The “Custom Dictionaries” option in Specops Password Policy is an easy way to add custom dictionaries to protect against targeted password attacks that may contain your organization’s name or other sensitive phrases.
What additional features are found in Specops Password Policy?
- If your password change attempt fails, it’s likely because you’re using an outdated or incorrect password. Please update your password and try again. Thanks for your understanding!
- The authentication client provided by Specops can dynamically change feedback for password changes.
- Password expiration based on the length of the password
- Customizable email notifications
- Most people choose passwords that are easy to remember, but this can lead to choosing passwords that are easy to guess. To make your passwords more secure, avoid using common password components such as user names, display names, specific words, consecutive letters, and incremental passwords.
Wrapping it Up
As cybersecurity threats continue to increase, password policy requirements are changing. This change is reflected in new guidance from organizations like the National Institute of Standards and Technology (NIST). The built-in password policy settings found in Active Directory are no longer enough to protect against threats such as breached passwords. businesses today need to take additional measures to safeguard their data.
Today, organizations need to use a third-party solution to supplement the capabilities found in Active Directory to meet the top 5 tenets of a good password policy. Specops Password Policy is a solution that allows organizations to implement password filters using password dictionaries and breached password protection. In addition, it includes many other great features not found in Active Directory, such as length-based password aging.