Password Security Standards: Are they enough?
With data breaches on the rise, more and more organizations are implementing stringent password security standards or password policies to ensure that their employees create strong and complex passwords that are resilient to attacks. Some of the rules in these policies include:
- Setting a minimum password length.
- Enforcing the use of different types of characters.
- Preventing the reuse of old passwords.
- Setting password age limits.
Regardless of whether an organization has put these and other passwords security standards in place, their employees' domain accounts will still be vulnerable if their employees use the same password for multiple services or applications. Irrespective of how strong an employee's password is, if it is used for multiple applications or services, the risk of it being exposed is high.
With a Google survey saying that at least 65% of people use the same passwords across multiple sites, and the Microsoft threat research team announcing that 44 million Microsoft user accounts use credentials that have been exposed during a data breach, it is evident that password security standards need to be reinforced with solutions that can enforce proper security best practices.
Securing AD domain and enterprise accounts using multi-factor authentication
Multi-factor authentication is a process that increases the security of a network by adding additional layers of authentication besides passwords. When multi-factor authentication is enabled, additional layers of authentication like fingerprint authentication and one-time-passcode are enabled. With MFA is enabled, even if hackers get the user's password, the other authentication methods hinder their attempt to hack the account.
ADSelfService Plus, an Active Directory self-service password management and single sign-on solution, offers multi-factor authentication (MFA), to enforce additional layers of authentication for endpoint (Windows, macOS, and Linux) logins, enterprise application logins (through SSO), and Active Directory self-service password reset or account unlock using ADSelfService Plus.
Benefits of ADSelfService Plus's MFA feature:
- Choose from fifteen different authentication methods, including Google Authenticator, YubiKey Authenticator, mail and SMS-based authentication, and RSA SecurID for MFA.
- Create self-service policies, configure different combinations of authentication methods for these policies, and assign them to specific OUs and groups. Only users under these OUs and groups will be asked to authenticate using the configured methods during MFA.
- Specify the number of authentications users must complete to verify their identity
- Enforce any of the authentication methods as mandatory.
ADSelfService Plus also offers a Password Policy Enforcer which provides complexity rules goes above and beyond the password policy settings provided in Active Directory. It ensures that users create strong, complex domain passwords. These rules allow admins to control:
- Characters used in the password: Allows controlling the number of special characters, numbers, and Unicode characters used in passwords.
- Repetition of characters in a password or usage of old passwords: Helps enforce a password history check during password reset, and restrict the consecutive repetition of a specific character from the username (e.g. “aaaaa” or “user01”).
- Usage of patterns and common words: Allows restricting keyboard sequences, dictionary words, and palindromes.
- Length of the password: Enables specifying the minimum and maximum password length.
Other capabilities of ADSelfService Plus that improve the implementation of custom password policies in a domain:
- Allowing users to override the password policy if the password exceeds a certain length.
- Specifying the minimum number of rules that must be satisfied in order to create a password successfully.
- Displaying the password policy's rules during password change and self-service password reset offered by ADSelfService Plus.
- Enforcing the password policy during domain password changes using the Ctrl+Alt+Del screen and password resets using the Active Directory Users and Computers console.
Learn more about ADSelfService Plus.
Simplify password management with ADSelfService Plus.
Thanks!
Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here
Self-service password management and single sign-on solution
ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.
- Self-service password reset / Account Unlock
- Password/account expiration notification
- Remote password reset
- Self-service directory update
- Multi-factor authentication
- Endpoint MFA
- Windows logon two-factor authentication
- Password policy enforcer
- Related Products