Password security best practices in PowerShell
According to the 2019 Data Breach Investigation Report by Verizon, stolen credentials are the major cause of data breaches. To safeguard passwords from cyberattacks like brute-force or password spray, compliance regulations like NIST define password security rules to ensure password complexity.
A brief summary of 2019 NIST password security guidelines:
- The minimum and maximum length of the passwords should be eight and sixty-four respectively.
- Permit the usage of printable ASCII characters (including spaces), and Unicode characters.
- Blacklist commonly used words, dictionary words, and breached passwords.
- Restrict the use of repetitive or keyboard sequences.
- Offer guidance, such as a password strength meter, to help users choose a strong password.
- Enforce account lockouts after ten failed authentication attempts.
- Enforce two-factor authentication (2FA) with advanced authentication techniques like Google or Microsoft Authenticator.
All of the above regulations can be enforced on both on-premises and cloud users using ADSelfService Plus, the self-service password management and single sign-on solution. However, it is highly complex to execute the same using PowerShell.
With PowerShell
With ADSelfService Plus
- Configure a password policy with advanced settings via the Password Policy Enforcer
- Go to ADSelfService Plus admin portal.
- Navigate to Configuration > Self-Service > Password Policy Enforcer.
- Enable Enforce Custom Password Policy.
- Ban leaked or weak passwords, keyboard sequences, and palindromes.
- Restrict consecutively repeated characters from the username or old password, as well as common character types at the beginning or end of the passwords.
- Allow users to use Unicode characters in their passwords.
- Display a password strength meter when users change or reset their AD passwords.
- Enforce passphrases.
- Click Save.
- Advanced password policy controls:
Ensures users use strong passwords by banning breached passwords, keyboard sequences, and more.
- Improves IT security:
Supports advanced multi-factor authentication techniques like biometrics and YubiKey to secure self-service password resets and account unlocks.
- Password policy for hybrid AD enforcement:
Admins can enforce custom password policies for users' Active Directory and cloud accounts.
- Compliance: