Security

Password Security » Mandatory Password CHanges are obsolete | Microsoft

Mandatory password changes are now obsolete.

Last year, Microsoft announced that periodic password changes have been removed from the security guidelines it recommended for customers. While mandatory periodic password changes using password expiration was touted as a necessary step for Active Directory account security all these years, why did such a change come about?

Turns out when pushed to change their passwords regularly, users tend to create simpler, easy to remember passwords that only differ by one or two characters from their predecessors. Add to that the practice of using the same password to multiple accounts, you have on your hands a problem that defeats the purpose of imposing regular password changes.

A simple workaround for this is to enforce rules that help create stronger, more complex passwords. Examples of these rules are:

  • Enforcing the use of all types of characters (uppercase letters, lowercase letters, numbers, and special characters).
  • Forbidding the use of words that may be common in your organization.
  • Preventing the use of previous passwords.

Another solution is to prevent users from using passwords that have already been exposed during data breaches. Attackers are notorious for saving the passwords they misappropriate during data breaches and use them in future attacks. With password reuse being another dangerous habit, if users are not thwarted from using exposed credentials, their accounts risk getting breached.

ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, offers the Password Policy Enforcer feature that allows organizations to create custom password policies and apply these policies to desired OUs and groups. The password policies are composed of complexity rules that compel users to create strong, complex passwords. The rules allow admins to manage:

  1. Characters used in the password: This includes rules that restrict the number of special characters, numbers, and Unicode characters used in passwords.
  2. Repetition of characters in a password or usage of old passwords: This includes rules that enforce a password history check during password reset, and restrict the consecutive repetition of a specific character from the username (e.g. “aaaaa” or “user01”).
  3. Usage of patterns and common words: This includes rules that restrict keyboard sequences, dictionary words, and palindromes.
  4. Length of the password: This includes rules that specify the minimum and maximum password length.

ADSelfService Plus also provides the following options that improve the implementation of custom password policies in a domain:

  • Allow users to override the password policy if the password exceeds a certain length.
  • Specifying the minimum number of rules that must be satisfied in order to create a password successfully.
  • Displaying the password policy's rules during password change and self-service password reset offered by ADSelfService Plus.
  • Enforcing the password policy during domain password changes using the Ctrl+Alt+Del screen and password resets using the Active Directory Users and Computers console.

Another feature offered by ADSelfService Plus is integration with Have I Been Pwned?. This is a service that warns users if the password they have created has been breached before. Once ADSelfService is integrated with Have I Been Pwned? domain users are alerted when the passwords they create during any of the below actions have been exposed before:

  • Self-service password reset using ADSelfService Plus
  • Password change using the Ctrl+Alt+Del option.
  • Password reset using the Active Directory Users and Computers console.

ADSelfService Plus also offers other features to protect AD accounts in the organization. Some of these include:

  • Multi-factor Authentication: Implements multiple layers of authentication using methods like TOTP, Google Authenticator, and fingerprint authentication during domain login, self-service actions like password reset and account unlock using the ADSelfService Plus portal, and enterprise login (during SSO).
  • Single Sign-on: Allows users to log into the ADSelfService portal once and access other enterprise applications without logging in again.
  • Password Expiration Notification: Notifies users about their soon-to-expire passwords.

Simplify password management with ADSelfService Plus.

Thanks!

Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.