Presets Aren’t Enough
Let’s keep things real: passwords aren’t going anywhere. And with continued—and increasing—ransomware attacks and data breaches popping up everywhere, an organization’s password policies are crucial to its digital security stance.
According to the 2022 Verizon DBIR, a majority of attacks originate from a single entry point: compromised credentials. Since so many organizations use Active Directory (AD) as their access platform, attention must be focused on the password policies that are preset within it, and what can be changed for additional security.
To defend against many types of attacks (brute force, credential stuffing, and password spraying among them), AD password policies need to be bolstered.
Generally speaking, password policies define different rules for password creation, such as minimum length, requirements for complexity, and reset duration (how long a password can be in use until it needs to be changed). Within AD, there are default values to these settings and more.
Some of the default settings will be familiar. Things like a minimum password length (the default within AD is 7 characters) can help prevent hackers from guessing short passwords, but AD often has a maximum password length as well. For complexity requirements, the default is ‘enabled’ which means that users must include a mix of upper and lowercase letters, numeric characters, special characters, and not be the same as the account name.
Unfortunately, some aspects of these password policies have backfired. Having a password that is “too complex” in its requirements means that users are likely to forget their passwords, or use a root password for one account, and then make tiny changes to it repeatedly so that it still satisfies requirements.
In the same vein, AD default periodic password resets have also backfired—studies have shown that forced resets lead to additional weak and reused passwords, as well as user friction. These old standards continue to lead to human error and encourage bad habits like password reuse and password sharing, cross-industry. And these habits are not likely to change overnight.
NIST Password Guidelines
Over the years, the National Institute of Standards (NIST) has provided updated guidelines for password policies. In the most recent edition, Special Publication 800-63B provides standards including:
- Allowing users to create passwords up to 64 characters long.
- Allow users to use any ASCII/Unicode characters in their passwords.
- Disallow passwords with sequential or repeated characters.
- Getting rid of periodic password resets.
- Scanning for compromised credentials.
The last addition, scanning for compromised credentials, very well may be the most efficient way to bolster password security within Active Directory. Bad habits from users are unavoidable and people will likely continue to find ways to reuse passwords that are already compromised. Preventing compromised passwords from entering your system is the top-down approach that gives your organization the ability to properly tighten up defenses.
Scanning for compromised credentials on an ongoing basis allows organizations to remove good passwords that become unsafe. This is essential to help prevent unauthorized access to their networks. Enzoic is purpose-built for AD to minimize any user friction, and offers remediation strategies that administrators can easily customize.