Introducing ADAudit Plus' Attack Surface Analyzer—Detect 25+ AD attacks and identify risky Azure configurations. Learn more×
 
Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Why do you need a strong password policy?

Passwords are an ubiquitous practice for authentication and, unfortunately, so are attacks targeting them. Weak, easy-to-guess,and reused passwords put your network resources at risk of exploitation. With a strong password policy, you canensure that the passwords chosen by your users do not compromise your organization's security.

Top 8 password policy best practices

 

Enforce password history

Users who reuse and recycle their passwords are more susceptible to credential theft than others. Enable the enforce password history policy to require users to create a new and unique password every time they change it. This setting determines how many times a user has to change their password before reusing an old one.

 

Set the minimum age

Employees can override the password history setting by changing their passwords repeatedly until they can reuse their original passwords. To prevent this, set the minimum password age, and control how long users have to keep a password before changing it.

 

Configure the maximum age

The longer a password is used, the more susceptible it becomes to a brute-force attack. To overcome this, employees must change their passwords regularly. Configure the maximum password age to prompt employees for password changes periodically. This setting determines the time (in days), after which users need to change their passwords.

 

Fix the minimum length

Short passwords, though easy to remember, are prone to dictionary attacks while long passwords are easily forgotten, leading to frequent account lockouts. To strike the right balance, specify the minimum password length to determine the fewest number of characters required for users' passwords.

 

Add complexity requirements

Weak passwords make it easy for hackers to perpetrate password guessing attacks. Enable password complexity requirements to implement stringent conditions for valid passwords. These conditions ensure strong passwords, which don't contain the users' names or parts of it, and require the use of alphanumeric characters and symbols, making them harder to guess.

 

Disable reversible encryption

Storing passwords using reversible encryption means that they can be decrypted. This would allow any capable attacker to exploit your organization's vital resources through a compromised account. This is why it's recommended you disable reversible encryption for all users. The only exception is when you have an application requiring the user's password for authentication.

 

Deploy fine-grained password policies

In Active Directory (AD), some high-privileged users may require a custom password policy different from those linked to the domain. For these users, configure fine-grained password policies, and link them to their respective security groups. This provides an extra layer of security to admins and other user accounts that have access to your organization's most sensitive resources.

 

Keep track of password changes

Always monitor password changes and resets, so you can take immediate action in the event of a security breach. Closely examine the password change history of privileged accounts to find any indicators of compromise.

Get real-time alerts on password changes using ADAudit Plus

Keeping track of all password changes using native tools can be a gruelling task for administrators. ADAudit Plus, a UBA-driven auditing solution from ManageEngine, provides simple, easy-to-read reports containing details of who changed or set what passwords, when, and from which machine in just a few clicks. Using ADAudit Plus, you can also set up email notifications to keep you informed of password changes to privileged accounts.

Download a 30-day free trial.

ADAudit Plus Trusted By