A strong password policy steers users towards creating passwords that are more durable against credential-based attacks, which increases the security of organizational data. With Verizon's 2020 Data Breach Investigation Report pointing out that 80% of hacking-related breaches are tied to passwords, it is evident that organizations are yet to up their password policy game.
Conventional Active Directory password policy rules list basic guidelines like using a combination of uppercase and lowercase letters and setting a minimum password length of eight characters. With hacking techniques constantly evolving, these password policy guidelines must be updated. This list points out some of the lesser-known Active Directory password policy best practices that can help create more stringent password policies.
For a long time, the consensus was that setting shorter expiration limits for passwords meant that users would change their passwords often and this would keep them safe from hacks using stolen passwords, like brute-force attacks. However, requiring users to frequently create new passwords inadvertently leads to bad password practices, like reusing old passwords, or forgotten passwords, which increases password-related help desk tickets. For this reason, in 2019 Microsoft announced that it no longer recommends a password expiration policy as part of its Cybersecurity Baseline.
If your organization chooses to eliminate password expiration, you should implement other security features such as multi-factor authentication (MFA) to maintain the strength of your IT security. If ditching your password expiration policy seems too risky and you decide to keep it, we recommend setting a maximum password age between 30 and 90 days.
Password length and complexity form the mainstays of password strength. While admins are sure to set both a minimum password length and password complexity settings, they often prioritize complexity over length. A random combination of alphanumeric characters and symbols intuitively seems to be the best defense against password-based attacks that depend on commonly used words and phrases, like dictionary attacks. Unfortunately, this strategy does not work against all adversaries—especially brute-force attacks, which try all possible combinations of keys until they get it right.
Compared to complexity, password length is said to have a higher impact on password entropy, or the measure of how unpredictable a password is. The longer the password, the higher its entropy and the stronger it is. The recommended minimum password length value is eight.
Not setting a minimum password age allows users to work their way around the maximum password age and password history settings. Once a password reaches its maximum age and expires, the user can change it repeatedly until the password history limit is bypassed, and then they can set the initial password as the new one again. Setting a minimum password age or a time limit to how soon a new password can be changed is essential to prevent users from indulging in such practices and risking their account security. We recommend setting a minimum password age value of one day.
Exposed passwords are a major threat to sensitive organizational resources. With rampant password reuse across accounts, exposure of a single password can lead to the compromise of many connected accounts across different applications. Dictionary words and context-specific words like an organization's name and location also make poor passwords. Passwords that are specific and unique to an environment can be exposed by attackers with insider knowledge. While ideally users should be aware of the importance of creating strong passwords, admins should also implement measures to ban passwords that have been exposed during previous data breaches and are commonly used in the organization.
Although password policies are a viable step in the direction of better data security and should be used, they are not a complete security strategy. Password policies help create stronger passwords that defend your organization against attacks, but progressions in the world of cybersecurity have led to the development of resilient hacking techniques as well. So while creating a password policy for your organization, be sure to implement additional security measures like auditing password changes, resets, and expiration to identify attack attempts.
Credential-based attacks are growing stronger, and the data security industry is in consensus that it is too risky to depend solely on passwords for security. Regulations centered on information protection, like the GDPR, HIPAA, and PCI DSS, have all mandated MFA for compliance. The additional layers of security implemented by MFA help protect sensitive data even if the password guarding the account is compromised.
It is also recommended that admins keep up with the password policy guidelines created by organizations like NIST.
2021 Zoho Corporation Pvt. Ltd. All rights reserved.