Security

Securing your users' AD accounts by enforcing password hygiene

Identity theft seemed to have reached its peak in 2019. SpyCloud's 2020 Annual Credential Exposure Report states that over nine billion account credentials were misappropriated by hackers in 2019. These credentials were exposed through 640 data breaches that affected 270 million users world over. Another alarming statistic is that out of the nine billion credentials that were exposed, 29% of passwords were reused on multiple accounts, and out of these reused passwords, 94% were exact matches.

With credentials being stolen in millions and billions, users are nowhere near to following password security practices both in personal and work accounts. Password reuse and usage of weak passwords are common practices that not only endanger employees' accounts, but also their organization's database and entire network. If an attack happens due to the poor password hygine, it results financial and reputation losses to enterprises, and in most cases lead to legal implications as well.

Securing your users' accounts and passwords

To ensure total security, organizations must implement solutions to enforce good password hygiene. ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, is one such solution that offers the following features to help promote password and account security:

• Password Policy Enforcer: This feature allows admins to create and enforce custom password policies during:
  • Self-service password reset using ADSelfService Plus
  • Password change using the Ctrl+Alt+Del option.
  • Password reset using the Active Directory Users and Computers console.

  Some of the password policy rules offered by the feature include:

  • Disallow the use of specific numbers of consecutive characters from user names and old passwords
  • Disallow the use of a character a specific number of times consecutively.
  • Ensure the password starts with an uppercase letter, lowercase letter, number, or special character.
  • Fix the number of old passwords to be restricted during password resets and changes.

  Learn more about enabling the Password Policy Enforcer in your organization.

• Multi-factor Authentication: This feature adds additional levels of authentication using methods like biometrics, Google Authenticator, YubiKey Authentication, and fingerprint authentication. ADSelfService Plus secures the following actions using this feature:
  • Windows, macOS, and Linux logins.
  • Enterprise application logins using SSO.
  • Active Directory self-service password reset and account unlock, self-update of Active Directory profile information, subscription to mail groups, and employee search using ADSelfService Plus.

  Learn more about using multi-factor authentication to secure domain accounts.

• Have I Been Pwned? integration: ADSelfService Plus integrates with Have I Been Pwned?, a service that warns users if the passwords they create or reset have been breached before.

Learn more about integrating ADSelfService Plus with Have I Been Pwned?.