Password Policy Best Practices – Our Suggestions

Having a strong password policy is your first line of defence. Many users are aware of the security risks associated with having an easy-to-guess passwords, yet often they choose one anyway. We understand that it can be frustrating to be asked to memorize complex passwords, only to be asked to change them every 90 days. It is therefore necessary for sysadmins to reason with staff members and make sure that they understand the importance of having a strong password policy. You will need to convince them that you’re not just doing it to make their lives harder.

Microsoft Active Directory has a password policy feature which enables you to enforce the use of strong passwords. It also allows you to configure an account lockout policy, which is used to ensure that attackers cannot easily guess a password using a brute-force attack. Active Directory also gives you the option to configure different policies for different domains. When developing a strong password policy, there are a number of best practices you should keep in mind.

Strong Passwords

We would recommend that you use at least 10 characters in your passwords. To put things in perspective, an 8-character Windows password can be cracked in less than 3 hours using a budget password cracking rig. If you want your passwords to be super-secure, you may choose to enforce a 15-character passphrase instead. Naturally, you will need to prevent staff members from using easy-to-guess passwords such as “password12”, dictionary words, default passwords, phone numbers, license plate numbers, or anything that can be connected to them in some way.

Password Protection

Protecting passwords can be slightly trickier. When passwords become too complex, staff members have been known to write them down on post-it notes, thus completely undermining the password policy objectives. It is therefore important that you discourage them from doing this, and maybe encourage them to use a password management tool. Of course, they will still have to memorize a complex master key, but it will make things easier if they have many different passwords to remember.

It is also important to check that passwords are being sent to the server in a secure manner. For example, it is more secure to send information via “https”, as opposed to the standard “http” protocol.

Passwords must be changed every 90 days, or 180 days for passphrases. However, some studies have suggested that it is better to change them less frequently as “users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily.” Staff members should also be cautious about allowing people to look over their shoulder when they enter their password.

While it is not something a sysadmin can enforce, staff members should be discouraged from using the same password on multiple applications that contain sensitive data.

Password Protection Using Active Directory

Active Directory has an “Enforce password history” policy setting which can be set to determine the number of unique passwords that must be used before an old password can be reused. Other useful settings include “Minimum password age”, and “Password must meet complexity requirements”.

One thing that Active Director does not provide is an automated password expiration notification tool. Manually reminding users to reset their passwords is clearly not the most efficient approach, especially when there are tools available that can automate the process. Tools such as Lepide Data Security Platform are able to provide automated password reminders via email. The emails are fully customizable and follow up notifications can be sent should a user fail to take action. The solution also comes with an intuitive console which displays a complete summary of both expired passwords, and soon-to-expire passwords, across single or multiple domains.