Despite that hackers often breach organizational networks by leveraging a compromised password, many organizations still allow employees to set weak passwords that are easy to guess. Weak passwords are still the norm, and bad practices like reusing passwords or using usernames as passwords are rampant. Password statistics depict worrying figures on poor password hygiene:
Personal data of over 5.2 million guests was exposed during a breach at a major hospitality company. The cause of the breach has been linked to the leak of two employee credentials.
Exposure of even a single employee password can jeopardize the security of organizational data. Data breaches not only cost organizations their revenue and reputation, but can also lead to legal ramifications. Since passwords are our first line of defense against cyberattacks, they must be chosen carefully. Implementing password security best practices helps prevent account hijacking and data leaks.
Use the below factors as a guide to ensure employees create strong passwords:
| Domain password policies | Fine-grained password policies |
|---|---|
|
Complexity Create a password that uses all character types—uppercase and lowercase letters, numbers, and symbols. |
No patterns Avoid common patterns like 12345 and qwerty. Palindromes are also better left out. |
|
Adequate length Maintain a formidable password length. Microsoft recommends a minimum password length of eight characters. |
No dictionary words Steer clear of using organization-related words like company names or number sequences like employee IDs as passwords. |
|
Uniqueness Setting common words like password and admin should be avoided. |
Minimal repetition Avoid reusing a password multiple times for the same account or using passwords that are similar to usernames. |
Passphrases
Passphrases are a good alternative to passwords. They are longer and easier to remember.
While complying with the guidelines mentioned above can help create strong passwords that are resistant to hacks, making sure your organization's employees follow them can be challenging. Enforcing password policies helps admins achieve this and helps meet regulatory compliance. Password policies are rules that, when enforced during a password change and a password reset, permit the creation of passwords only when all the guidelines are adhered to. Implementing the best practices for password policies helps administrators effectively secure their organization and meet compliance.
Active Directory provides domain password policies that help admins mandate parameters like complexity, length, and age of the domain passwords. The password policy is created by configuring policy settings according to the organization's security stance. These settings are:
Password history
Set the number of new passwords that must be used before an old password can be reused.
Maximum pas sword age
Specify the maximum time that a password can be used before a change is mandated.
Minimum password age
Set the minimum amount of time that a password has to be used before it can be changed.
Minimum password length
Mandate the minimum number of characters that the password must contain.
Minimum password length audit
Audit password changes that violate a new minimum password length policy before enforcing it .
Reversible encryption
Determine if an OS will use reversible encryption to store passwords for easier decryption.
Passwords must meet complexity requirements:
To satisfy this setting requirement, these rules must be meet:
Active Directory also provides Fine-grained password policies (FGPPs). These policies can be, as the name suggests, configured on a granular level for specific sets of users. FGPPs are composed of the same five settings as domain password policies. Here are some differences between the two:
| Domain passwords policies | Fine-grained password policies |
|---|---|
| There can only be one domain password policy for all the users in a single domain. | Domain password policies are created in Group Policy Objects. |
| Separate domain password policies need to be created for different domains. | Multiple FGPPS can be applied to groups of users in a single domain. |
| FGPPS are created using Password Setting Containers. | More than one group can fall under a single FGPP. |
Although domain password policies and FGPPs help ensure that domain users uphold strong password creation and regular password updates, they come with their own set of challenges.
ManageEngine ADSelfService Plus is an identity security solution with MFA, SSO, and self-service password management capabilities. It provides the Password Policy Enforcer feature that empowers admins to create and enforce custom password policies fo r Active Directory and c loud application passwords.
The password policies can be created by configuring the required policy rules from the list provided. The rules are offered to ensure the passwords created by employees are secure according to four factors:
Characters
Patterns
Repetition
Length
Fine-grained application
Custom password policies can be applied to users belonging to specific domains, OUs, and groups. Different password policies can be applied to particular applications as well.
Compliance
Password policies help comply with password requirements for regulations like NIST, CJIS, PCI DSS, and HIPAA.
Password strength analyzer
This meter depicts how strong the user's password is during creation.
Universal password policy
The password policy created can be enforced during password changes using the Ctrl+Alt+Del portal and password resets using the ADUC console. Password policies can also be applied for accounts of enterprise applications.
Password policy display
The password policy requirements will be displayed during password changes and resets.
Ban breached passwords
ADSelfService Plus' integration with Have I Been Pwned—the service that compiles and updates databases of exposed credentials—prevents employees from using passwords that have previously been exposed.
Weak passwords report
This tool helps you find weak passwords in Active Directory by comparing users’ passwords against a list of over 100,000 commonly used weak passwords. When it finds a match, the report will display the users' details. You can then force a password change for these employees.
Password audits
ADSelfService Plus generates reports that audit password-based actions like password resets and changes performed by the user. Detailed information like the time of the action and the device from which it was performed is stored as well.
While creating strong passwords can contribute to data security, including additional authentication methods through multi-factor authentication can further strengthen system and network security. ADSelfService Plus helps secure local and remote access to endpoints and enterprise applications through multi-factor authentication.
