Active Directory password
policy best practices

Thank you for downloading!

Your download should begin automatically in 15 seconds. If not, click here to download manually.

  • Please enter a business email id
  • IN
  • By clicking 'Download now' you agree to processing of personal data according to
    the Privacy Policy.

Password policies are vital to an organization’s security posture.

A strong password policy steers users towards creating passwords that are more durable against credential-based attacks, which increases the security of organizational data. With Verizon's 2020 Data Breach Investigation Report pointing out that 80% of hacking-related breaches are tied to passwords, it is evident that organizations are yet to up their password policy game.

Conventional Active Directory password policy rules list basic guidelines like using a combination of uppercase and lowercase letters and setting a minimum password length of eight characters. With hacking techniques constantly evolving, these password policy guidelines must be updated. This list points out some of the lesser-known Active Directory password policy best practices that can help create more stringent password policies.

Don’t set a short password age:

For a long time, the consensus was that setting shorter expiration limits for passwords meant that users would change their passwords often and this would keep them safe from hacks using stolen passwords, like brute-force attacks. However, requiring users to frequently create new passwords inadvertently leads to bad password practices, like reusing old passwords, or forgotten passwords, which increases password-related help desk tickets. For this reason, in 2019 Microsoft announced that it no longer recommends a password expiration policy as part of its Cybersecurity Baseline.

If your organization chooses to eliminate password expiration, you should implement other security features such as multi-factor authentication (MFA) to maintain the strength of your IT security. If ditching your password expiration policy seems too risky and you decide to keep it, we recommend setting a maximum password age between 30 and 90 days.

Prioritize length over complexity:

Password length and complexity form the mainstays of password strength. While admins are sure to set both a minimum password length and password complexity settings, they often prioritize complexity over length. A random combination of alphanumeric characters and symbols intuitively seems to be the best defense against password-based attacks that depend on commonly used words and phrases, like dictionary attacks. Unfortunately, this strategy does not work against all adversaries—especially brute-force attacks, which try all possible combinations of keys until they get it right.

Compared to complexity, password length is said to have a higher impact on password entropy, or the measure of how unpredictable a password is. The longer the password, the higher its entropy and the stronger it is. The recommended minimum password length value is eight.

Set a minimum password age:

Not setting a minimum password age allows users to work their way around the maximum password age and password history settings. Once a password reaches its maximum age and expires, the user can change it repeatedly until the password history limit is bypassed, and then they can set the initial password as the new one again. Setting a minimum password age or a time limit to how soon a new password can be changed is essential to prevent users from indulging in such practices and risking their account security. We recommend setting a minimum password age value of one day.

Ban exposed passwords and dictionary words:

Exposed passwords are a major threat to sensitive organizational resources. With rampant password reuse across accounts, exposure of a single password can lead to the compromise of many connected accounts across different applications. Dictionary words and context-specific words like an organization's name and location also make poor passwords. Passwords that are specific and unique to an environment can be exposed by attackers with insider knowledge. While ideally users should be aware of the importance of creating strong passwords, admins should also implement measures to ban passwords that have been exposed during previous data breaches and are commonly used in the organization.

Besides the above password policy best practices,
the following security best practices can also
help strengthen data security:

  • Don’t stop with just password policies
  • Implement MFA
  • Don’t stop with just password policies
  • Implement MFA

Although password policies are a viable step in the direction of better data security and should be used, they are not a complete security strategy. Password policies help create stronger passwords that defend your organization against attacks, but progressions in the world of cybersecurity have led to the development of resilient hacking techniques as well. So while creating a password policy for your organization, be sure to implement additional security measures like auditing password changes, resets, and expiration to identify attack attempts.

Credential-based attacks are growing stronger, and the data security industry is in consensus that it is too risky to depend solely on passwords for security. Regulations centered on information protection, like the GDPR, HIPAA, and PCI DSS, have all mandated MFA for compliance. The additional layers of security implemented by MFA help protect sensitive data even if the password guarding the account is compromised.

It is also recommended that admins keep up with the password policy guidelines created by organizations like NIST.

How ADSelfService Plus helps implement these
guidelines in your organization

  • 1ADSelfService Plus' Password Policy Enforcer feature offers password policy settings that go above and beyond the conventional Active Directory domain password policies, and it implements all the best practices defined above. In addition to supporting native Active Directory's password policy guidelines, ADSelfService Plus also:
    • Restricts the use of usernames as passwords and the repetition of old passwords, even going so far as to prevent passwords from containing consecutive characters from usernames and old passwords. This improves password strength, avoiding the need to impose shorter password expiration limits.
    • Bans weak passwords, keyboard sequences, and palindromes.
  • 2The Password Policy Enforcer feature also includes a setting that encourages the use of passphrases.
  • 3ADSelfService Plus’ integration with Have I Been Pwned? thwarts the use of previously exposed domain passwords by blocking users from entering them during self-service password resets from the login screen and during native password changes made using the Ctrl+Alt+Del screen or the ADUC console. The product's Weak Password Users Report tool compares users' passwords against a list of over 100,000 commonly used weak passwords to identify user accounts with passwords that should be changed.
  • 4ADSelfService Plus helps further strengthen domain account security with its Multi-factor Authentication feature. By enabling this feature, admins can implement multiple layers of security besides their login credentials during:
    • Machine (Windows, macOS, and Linux) and VPN logins.
    • Self-service password resets and account unlocks.
    • Logins to the ADSelfService Plus portal.
  • Up to 18 different authentication methods are supported, including biometrics, QR-code-based authentication, and YubiKey Authenticator.
  • Create stronger Active Directory domain password policies with ADSelfService Plus.

Try ADSelfService Plus today!

Download now 30 days free trial

© 2021 Zoho Corporation Pvt. Ltd. All rights reserved.