Hackers are using weak and stolen credentials in a significant way to compromise business-critical environments. Stealing access to your environment using a known password for a user account is a much easier way to compromise systems than relying on other vulnerabilities. Therefore, using good password security and robust password policies is an excellent way for organizations to bolster their cybersecurity posture.
What characteristics make up an effective password policy?
Developing an effective reporting structure for key business stakeholders, leadership, and external entities showing compliance with strong password security policies is essential.
With changing times and evolving cybersecurity threats, best practice recommendations regarding password policies are changing as well. We have had years to understand and learn what works and what doesn’t with password policies. Let’s note the following best practice guidelines regarding effective password policies:
- Encourage the use of passphrases
- Don’t throw away password expiry
- Implement breached password protection
- Use password dictionary checks
- Use account lockout policies
1. Encourage the use of passphrases
Traditional passwords are often easily cracked by the right hacker tools, even with symbols and special characters. For this reason, it is more important to have a strong password that is made up of many characters than a shorter password that contains special characters. Therefore, cybersecurity standards now strongly recommend that organizations allow and encourage end-users to use passphrases as valid passwords.
Passphrases offer many benefits over traditional passwords. These benefits include easier to remember than passwords with special characters. They are much longer and stronger passwords that can be unpredictable for attackers hoping to compromise accounts. As an example, note the following comparison (larger bits equal stronger password)
- MyP@$$w0rd1$ (84 bits)
- Is.My.Password (100 bits)
Arguably, the second password, a passphrase, is much easier to remember and type, and it is a stronger password.
2. Don’t throw away password expiry
Recent guidance from regulatory bodies like the National Institute of Standards and Technology (NIST) has organizations considering throwing away password expiry rules. But you might not want to do that just yet.
Password expiry or password aging forces a password change once the password reaches a certain age.
The recent guidance from the NIST encourage organizations not to force end-users to change their passwords after a mandated period of time:
“Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”
NIST explains the updated guidance in this way:
“Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations.”
UK-specific recommendations can be seen outlined by the National Cyber Security Centre and promote much of the same standard password policies as NIST. You can read more about configuring the NCSC password list in AD in this helpful blog post.
However, the problem with this recommendation is that it assumes you can confidently detect when an account on your network has become compromised when industry data shows that is not reality. According to IBM, it can take 280 days to discover you’ve been breached. A lot of organizations see password expiry as a way to mitigate this. Never mind organizations who are trying to comply with PCI or other standards that still require it.
The problem with expiry is that too much can mean users create weak passwords that follow predictable patterns. However, encouraging the use of passphrases with technical features like length-based password aging, which rewards users with more time before expiry the longer they set their password, can help organizations create better passwords and happier users.
3. Implement breached password protection
If your organization still decides to remove password expiry, it’s imperative to remember the second piece of the NIST recommendation, unless evidence of authenticator compromise. NIST still recommends forcing a change if the password is found on known breached lists so using a breached password check service is a critical part of compliance whether you are getting rid of expiry or not. To find that a password has become breached or that a user is attempting to use a password that is breached, organizations must implement breached password protection.
Enabling breached password protection on accounts helps protect against the large databases of passwords that hackers are using in password spraying attacks and other dictionary-based attacks.
4. Use password dictionary checks
In a similar way to the breached password protection that should be used with password policies, password dictionary checks provide a way to check passwords against very commonly used passwords that may satisfy complexity requirements, but that are extremely weak.
Password dictionary checks also allow organizations to create their own customized dictionaries to prevent users from forming passwords that contain the business name or other easy to guess characteristics.
5. Use account lockout policies
NIST and other cybersecurity authorities still recommend using a means to limit the number of failed authentication attempts with a specific user account:
“Verifiers SHALL implement a rate-limiting mechanism that effectively limits the number of failed authentication attempts that can be made on the subscriber’s account as described in Section 5.2.2.”
Implementing best practice password policies and auditing
Using native Active Directory Password Policy capabilities, businesses lack the built-in tools needed to implement recommended password policy best practices such as breached password protection. So how can companies easily implement these types of features and audit their password policies against industry-standard password policy recommendations?
Organizations can achieve both capabilities by using a free read-only tool in their environment. In addition, Specops Password Policy, the paid option, provides a robust way for organizations to extend the built-in features provided with native Active Directory Password Policy with the following:
- Custom dictionary lists to disallow words or word variations common to your organization
- Prevent the use of breached passwords with Breached Password Protection
- Find and remove leaked passwords
- Customizable and informative end-user client messaging at failed password change, provided in real time
- Length-based password aging with customizable email notifications
- Block usernames, display names, specific words, consecutive characters, incremental passwords, and reusing a part of the current password
- Granular, GPO-driven targeting for any GPO level, computer, user, or group population
- Passphrase support
- Supports over 25 different languages, including English, French, German, Spanish, Russian, and Chinese
- Use Regular Expressions to customize requirements further
Specops Password Auditor easily allows IT admins to audit existing password policies against the leading industry-standard password policies and see how their password policies measure up. Also, it enables the creation of professional executive reports that can be handed over to auditors, business stakeholders, or other business leaders.
As shown, Specops Password Auditor provides detailed reports that analyze configured password policies against industry-standard recommendations.
Analyzing ADDS password policies with Specops Password Auditor
The Executive Summary report provided by Specops Password Auditor generates a professional, detailed report that can be handed over to auditors and business leaders alike.
Creating an Executive Summary report with Specops Password Auditor
Recommended password policies have evolved over the past few years, with industry best practice standards evolving to meet the current cybersecurity threat landscape. Therefore, businesses need to evaluate their current password policies and see how these compare to the current best practice recommendations.
Both Specops Password Policy and Specops Password Auditor help businesses implement strong, modern, and relevant password policies, including breached password protection, along with robust auditing of the environment. In addition, these tools help provide the solutions needed to implement and audit environments for security issues related to passwords or password policy configurations.
Test it out for yourself by running a read-only audit from Specops Password Auditor, free.
Contributed by cybersecurity expert Brandon Lee. Brandon has been in the industry 20+ years, is a prolific blogger focusing on networking, virtualization, storage, security & cloud, and contributes to the community through various blog posts and technical documentation primarily at Virtualizationhowto.com.