6 min read
In 2024, stolen or weak passwords were the initial cause of 81% of data breaches. Weak passwords are one of the most common causes of successful attacks on Active Directory. Unfortunately, it’s all too common for password policies to be misconfigured or generally not up to scratch. In this blog, we’ll look at how your password policy is probably leaving you at risk.
Why Is Password Policy Important?
A password policy consists of rules and guidelines that dictate how users create, use, and store passwords within their organization’s web application or network. While implementing a strong password is effective to provide at least a minimal standard of security, an organization’s passwords are only as strong as its password policy allows. Any company that wants to protect its intellectual property, financial data and customer data should implement strong password policies.
Weak or compromised passwords pose a serious risk to your organization, leading to possible financial loss, reputational damage, and data exposure. By enforcing strong password policies and proactive security measures, you can protect your most valuable assets, your data and client relationships. Strong passwords are one of the first lines of defense in your cybersecurity strategy.
Organizations Still Rely on Old Era
After all, current best practices and modern threats have far surpassed the password policies established back in the early 2000s for Active Directory (AD), yet the vast majority of enterprises are still using them. Why these outdated policies are still in place and why they need to change are as follows:
- Inflexible Default Policy: Active Directory’s default domain policies are not as granular as they could be, as they apply across the entire domain. Settings won’t be able to be tailored for specific organizational units or groups. The Default Domain Policy was designed to be used against every user and computer in the specific Active Directory domain that it is linked to. In many cases, global settings are repeatedly diluted to accommodate these legacy systems. Workstations and member servers may not receive the correct policy due to overlapping Group Policy Objects (GPOs), local policy overrides, and inheritance blocks.
- Allow Weak or Predictable Passwords: Passwords like “123456” that are common or have been used in the past are not blocked by Active Directory. Users have predictable patterns with easy-to-guess bottom line passwords, or they make habit-forming substitutions or lengthens previously used passwords, which are all susceptible to brute-force attacks. To us, it seems like security guidelines are beacons for the use of blocklist to prevent easy to guess passwords as one of the key capabilities that Active Directory out of the box doesn’t have.
- MFA Still not widely Used: MFA is critical to the layered security approach just described, it’s underutilized in on-prem AD environments. The primary reason for that being Active Directory (AD) natively doesn’t allow for MFA so you need to either integrate with a cloud-based identity provider or use third party solutions. Even for privileged users, password-only access points are still vulnerable as most organizations fail to enable multi-factor authentication or MFA on all accounts. Weak or poorly implemented MFA can be just as easily bypassed by advanced attacks, often rendering it more dangerous than not having it in place at all.
- Outdated Forced Expiration Policies: Security and user experience are negatively impacted by outdated mandatory expiration settings in Active Directory. To bypass the need to memorize complex and often changing passwords, users are encouraged to jot them down or keep them in unsecured places — opening holes for cyber intruders to worm through. Users are forced to develop insecure incremental improvements by making their password guessable patterns of 60 to 90 days (“Password1,” “Password2”). A more lenient approach is recommended by modern best practices, which usually include multi-factor authentication (MFA), extended password expirations, and password reuse limits which are still missing in Active Directory.
- Improper User Experience: The poor AD user experience is often the result of poor design and management practices, resulting in problems like over-provisioning, unnecessary workflows, and security vulnerabilities. These might manifest as timeouts, unauthorized access rejections, or even inability to authenticate. Users are often unable to keep up with all of the stringent rules, resulting in a frustratingly high rate of lockouts and password resets. Consequently, the strain on IT support is compounded. True security is undermined when we allow insecure workarounds such as password hints or reuse.
Common Pitfalls That Weaken Password Security
Organizations think they have strong password policies but they often fall into the same traps. Lets discuss common pitfalls for weakening password security:
- Short Password Length: One common pitfall that compromises password strength is the length of the password. So in 2023 a password of eight characters and bad ones were allowed, not anymore. Such simple phrases require only a handful of characters to crack in minutes with modern tools.
- Same Policy For All: It’s standard procedure to apply the same policy to interns and domain administrators. In fact, this strikes us as an extraordinarily unsafe practice. Rules such as fine-grained password rules should be more stringent for privileged accounts than for regular users.
- Over Reliance on Complexity: Users often default to cringeworthy templates such as “Password123! to bypass legal challenges. A lot of the time, the attackers build the known patterns into their tools because they know it. The password security is weakened by this trap.
- Hardcoded Passwords: The term “hardcoded passwords” refers to a password (username and password combo) that is hard-coded into scripts, applications, or configuration files. Hardcoded passwords are generally stored in plain text, unencrypted, and unobfuscated, which are easy targets for internal and external attacks. If a hardcoded password needs to be changed, the new password must be entered manually into every single script or system that uses it. This entices a greater chance for error and keeps the legacy credentials hanging around.
Summary
By enforcing MFA, increasing passphrase length, banning password-like content, retiring old hashes, and changing your password policy in light of the above guidance, you dramatically improve security while lowering maintenance burden and user friction. Unfortunately, many organizations are stuck using yesterday’s password-by-design strategies that couldn’t protect their Active Directory infrastructures from today’s threats. By reviewing current configurations, determining vulnerabilities and renewing with newer standards, you can remove one of the biggest, under-the-radar security holes in enterprise IT.
If you’re still relying on the same AD password policy you rolled out with Windows Server 2008, it’s due for an upgrade.
Lepide Active Directory Auditor helps you identify weak password configurations, track policy violations, and audit password-related changes across your Active Directory environment. Start your free trial today and take the guesswork out of password security.
Group Policy Examples and Settings for Effective Administration
15 Most Common Types of Cyber Attack and How to Prevent Them
Why AD Account Keeps Getting Locked Out Frequently and How to Resolve It
