Organizations today must give attention to their cybersecurity posture, including policies, procedures, and technical solutions for cybersecurity challenges. One key factor is the password policy. This post discusses problems with end-user password change requests and provides insight on best practices for defining an effective password policy.
The crux of the problem with end-user password change requests is that some are not done with technical accuracy, and this leads organizations to invalidate passwords in AD (Active Directory) or lose trust in a user account if a password reset token expires. In this post, we will address the key issues with end-user password change requests and provide best practices for defining an effective password policy.
End-User Password Change Requests: Misunderstandings and Pitfalls
There are two main reasons organizations struggle to understand why end-users need to change their passwords. Organizations often assume that if users do not change their passwords, then they have poor cybersecurity hygiene and are at risk for attacks. An example of this is when an end-user receives multiple passwords reset emails from IT, which can easily be misinterpreted as phishing attempts.
The second issue is that many organizations also misunderstand how passwords are used to authenticate to their environment. A common misbelief is that if a user has Active Directory (AD) enabled two-factor authentication (2FA), then the password only needs to be used once. An example of this is when an end-user receives an AD password reset email, yet they can still log in with their username and password without 2FA. This can lead to many false assumptions, such as believing that users do not need to change their AD passwords. Organizations should understand that passwords are used for more than just two-factor authentication. The password can be used to authenticate to an organization’s system for a number of reasons, which includes but is not limited to:
Authentication or authorization into an organization’s network (AD) and/or systems (MySQL, SharePoint, CRM, etc.)
Provisioning or revoking of Active Directory permissions
Setting up new computers into AD. Also known as “joining the domain”. This requires going through the user account setup wizard in AD. Also known as “how do I log onto this computer” questions such as “What account name should be used?”.
In addition, organizations should not rely too much on password policy settings when attempting to define credentials for end-users. The following post details why the official documentation from Microsoft regarding best practices for password policy settings are invalid.
Best Practices for Password Policy Settings
Microsoft has a number of recommendations and best practices for password settings in order to meet the needs of their customers. Many organizations unfortunately rely on these recommendations when trying to define AD passwords. However, most of these recommendations are outdated and/or invalid, which we discuss further down this post. The reason we highlight this is because many organizations fail to realize that these best practices are faulty and have no effect in real-world scenarios.
The official documentation from Microsoft regarding password properties is not valid, which we discuss further in the post. The recommendations below are based on the following statements:
“Any password that meets the specified complexity requirements must be permitted.”
“A password cannot be changed more than once every 15 days.”
The former rule has no effect in real-world scenarios, and the latter rule does not apply to passwords that are renewed or changed through AD. We provide more detail on this later in this post. This also applies to using the “minimum length restriction” when setting standard passwords, as well as resetting them through AD. As a result, these settings are not valid for real-world scenarios.
Microsoft recommends a password complexity policy that states the following: “Any password that meets the specified complexity requirements must be permitted”. The following settings are valid in this policy:
Minimum length of 8 characters. This is enforced by AD.
Minimum of one (1) alphanumeric character, such as a number or a symbol. This is enforced by AD and applications that enforce password properties per each account, such as SharePoint and SQL server.
No more than 2 consecutive characters are the same. This is enforced by AD and applications that enforce password properties per each account, such as SharePoint and SQL server.
Microsoft considers these settings to be valid for their customers, assuming they have no malicious intentions with their AD passwords. However, most organizations today do not know how passwords are used within their environments and have poor cybersecurity hygiene with their passwords. As a result, this recommendation is not valid for real-world scenarios.
Interested in reading more about password security? Critical Password Security Rules 2021 discusses critical rules for password security.
If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access Control, Fire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at email@example.com.