Despite the fact that hackers often breach organizational networks by leveraging a compromised password, many organizations still allow employees to set weak passwords that are easy to guess. Weak passwords are still the norm, and bad practices like reusing passwords or using usernames as passwords are rampant. Password statistics from 2019 depict worrying figures on poor password hygiene:
Your download is in progress and it will be complete in just a few seconds! If you face any issues, download manually here
Exposure of even a single employee password can jeopardize the security of organizational data. Data breaches not only cost organizations their revenue and reputation, but can also lead to legal ramifications. Since passwords are our first line of defense against cyberattacks, they must be chosen carefully. Ensuring employees create strong passwords for their business accounts is the first step towards data security. Strong passwords are difficult to compromise and help prevent hijacked accounts and data leaks.
Use the below factors as a guide to ensure employees create strong passwords:
Create a password that uses all character types—uppercase and lowercase letters, numbers, and symbols.
Maintain a formidable password length. Microsoft recommends a minimum password length of eight characters.
Setting common words like password and admin should be avoided.
Avoid common patterns like 12345 and qwerty. Palindromes are also better left out.
Steer clear of using organization-related words like company names or number sequences like employee IDs as passwords.
Avoid reusing a password multiple times for the same account or using passwords that are similar to usernames.
Passphrases are a good alternative to passwords. They are longer and easier to remember.
While complying with the guidelines mentioned above can help create strong passwords that are resistant to hacks, making sure your organization's employees follow them can be quite the task. Enforcing password policies helps admins achieve this and helps meet regulatory compliance. Password policies are rules that, when enforced during password change and password reset, permit the creation of passwords only when all the guidelines are adhered to.
Active Directory provides domain password policies that help admins mandate parameters like complexity, length, and age of the domain passwords. The password policy is created by configuring policy settings according to the organization's security stance. These settings are:
Set the number of new passwords that must be used before an old password can be reused.
Specify the maximum time that a password can be used before a change is mandated.
Set the minimum amount of time that a password has to be used for before it can be changed.
Mandate the minimum number of characters that the password must contain.
The following rules must be complied with to satisfy this setting:
Active Directory also offers Fine-Grained Password Policies (FGPPs). These policies can be, as the name suggests, configured on a granular level for specific sets of users. FGPPs are composed of the same five settings as domain password policies. Here are some differences between the two:
Although domain password policies and FGPPs help ensure that domain users uphold strong password creation and regular password updates, they come with their own set of challenges.
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution. It offers the Password Policy Enforcer feature that allows admins to create and enforce custom password policies for Active Directory and cloud application passwords.
The password policies can be created by configuring the required policy rules from the list provided. The rules are offered to ensure the passwords created by employees are secure according to four factors:
Custom password policies can be applied to users belonging to specific domains, OUs, and groups. Different password policies can be applied to particular applications as well.
Password policies that help comply with password requirements for regulations like NIST, CJIS, PCI DSS, and HIPAA.
This meter depicts how strong the user's password is during creation.
The password policy created can be enforced during password changes using the Ctrl+Alt+Del portal and password resets using the ADUC console. Password policies can also be applied for accounts of enterprise applications.
The password policy requirements will be displayed during password changes and resets.
ADSelfService Plus' integration with Have I Been Pwned?—the service that compiles and updates databases of exposed credentials—prevents employees from using passwords that have previously been exposed.
This tool helps you find weak passwords in Active Directory by comparing users’ passwords against a list of over 100,000 commonly used weak passwords. When it finds a match, the report will display the users' details. You can then force a password change for these employees.
ADSelfService Plus offers reports that audit password-based actions like password resets and changes performed by the user. Detailed information like the time of the action and device from which it was performed is stored as well.
While creating strong passwords can contribute to data security, including additional authentication methods through multi-factor authentication can further strengthen system and network security. ADSelfService Plus helps secure local and remote access to endpoints and enterprise applications through multi-factor authentication.