Best Practices

Enterprise password management best practices

Expecting users to change and remember is equivalent to asking them to remember a new 660-digit number.1 Meaning, it's time we change the password management rules in a way that is much more user-centric without sacrificing security. Here are a few enterprise password management best practices that IT teams can implement to ensure password security:

1. Minimize the use of passwords: Employ effective alternatives to multiple passwords like single sign-on or password synchronization.
2. Blacklist commonly used passwords: Restrict the usage of weak, commonly used, dictionary words, palindromes, patterns, keyboard sequences, and consecutive usage of characters from the user name.
3. Lock account after multiple unsuccessful login attempts: Defend against credential-based attacks like brute force by locking out user accounts after a specific number of unsuccessful login attempts.
4. Enforce additional authentication factors for endpoint logins: Secure remote and local login attempts to Windows, macOS, and Linux systems with additional authentication factors.
5. Automate access control decisions with conditional access: Implement conditional access based on risk factors, such as IP address, time of access, device, and the user's geolocation.
6. Leverage Have I been Pwned API service: Ensure users don't use breached passwords by leveraging the Have I been Pwned API service during password reset and password change.
7. Eliminate password reuse: Enforce password history during native password resets and password changes to ensure users don't reuse passwords.
8. Empower users with password self-service features: Allow users to reset forgotten passwords of their Active Directory and cloud accounts, without IT assistance.

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution that helps admins leverage effective password management from a single, centralized console. It allows admins to employ custom password policies with advanced password policy settings for user's Active Directory and cloud accounts to improve password security. It also supports Endpoint MFA that secures login attempts and helps comply with multiple regulatory compliances like HIPAA and PCI DSS.

Other highlights of ADSelfService Plus:

1. Automate password expiration reminders: Help users stay proactive about their soon-to-expire passwords by sending them phased alerts via SMS, email, and push alerts.
2. Remote self-service: Allow users to perform remote password reset by enabling secure cached credentials update via VPN.
3. Approval workflow: Mandate help desk approval for users' password self-service actions, as needed.

And more.