Direct Inward Dialing: +1 408 916 9892
Passwords are an ubiquitous practice for authentication and, unfortunately, so are attacks targeting them. Weak, easy-to-guess,and reused passwords put your network resources at risk of exploitation. With a strong password policy, you canensure that the passwords chosen by your users do not compromise your organization's security.
Users who reuse and recycle their passwords are more susceptible to credential theft than others. Enable the enforce password history policy to require users to create a new and unique password every time they change it. This setting determines how many times a user has to change their password before reusing an old one.
Employees can override the password history setting by changing their passwords repeatedly until they can reuse their original passwords. To prevent this, set the minimum password age, and control how long users have to keep a password before changing it.
The longer a password is used, the more susceptible it becomes to a brute-force attack. To overcome this, employees must change their passwords regularly. Configure the maximum password age to prompt employees for password changes periodically. This setting determines the time (in days), after which users need to change their passwords.
Short passwords, though easy to remember, are prone to dictionary attacks while long passwords are easily forgotten, leading to frequent account lockouts. To strike the right balance, specify the minimum password length to determine the fewest number of characters required for users' passwords.
Weak passwords make it easy for hackers to perpetrate password guessing attacks. Enable password complexity requirements to implement stringent conditions for valid passwords. These conditions ensure strong passwords, which don't contain the users' names or parts of it, and require the use of alphanumeric characters and symbols, making them harder to guess.
Storing passwords using reversible encryption means that they can be decrypted. This would allow any capable attacker to exploit your organization's vital resources through a compromised account. This is why it's recommended you disable reversible encryption for all users. The only exception is when you have an application requiring the user's password for authentication.
In Active Directory (AD), some high-privileged users may require a custom password policy different from those linked to the domain. For these users, configure fine-grained password policies, and link them to their respective security groups. This provides an extra layer of security to admins and other user accounts that have access to your organization's most sensitive resources.
Always monitor password changes and resets, so you can take immediate action in the event of a security breach. Closely examine the password change history of privileged accounts to find any indicators of compromise.
Keeping track of all password changes using native tools can be a gruelling task for administrators. ADAudit Plus, a UBA-driven auditing solution from ManageEngine, provides simple, easy-to-read reports containing details of who changed or set what passwords, when, and from which machine in just a few clicks. Using ADAudit Plus, you can also set up email notifications to keep you informed of password changes to privileged accounts.
Download a 30-day free trial.
