Insights

Your Password Best Practices Are Outdated

 

Your Password Best Practices Are Outdated

Mar 27, 2019

Technology is always evolving — but so are cybercriminals. It shouldn’t come as a surprise to learn that password best practices have changed and evolved. But surprisingly, it’s not just because cybercriminals are getting more sophisticated. It’s also because human behavior has proved that some of those password best practices are ineffective. Unfortunately, all it takes is one weak password for cybercriminals to gain access to your business’s data.

Microsoft’s updated password best practices distil the National Institute of Standards and Technology (NIST) guidance[1] down to seven basic steps:

  1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).
  2. Eliminate character-composition requirements.
  3. Eliminate mandatory periodic password resets for user accounts.
  4. Ban common passwords to keep the most vulnerable passwords out of your system.
  5. Educate your users not to re-use their password for non-work-related purposes.
  6. Enforce registration for multi-factor authentication.
  7. Enable risk-based, multi-factor authentication challenges.[2]

Why? Because people are predictable, cybercriminals know they’re predictable and so they automate gathering the lowest hanging fruit. Because the people who make computers have blind spots when it comes to security. Because these recommendations eliminate the easiest methods of compromise. And because risky situations (e.g., signing in from a new IP address or device) should be met with greater scrutiny. Ultimately, password managers like 1password, keepass and lastpass are your friend.

What it comes down to is, if passwords have complexity requirements, people will typically start their password with a capital letter and end it with a number or punctuation symbol, actually making that password weaker and more easily guessed because of its base predictability. If passwords are required to be changed periodically, like once a quarter, people again become far more predictable and use things that are easier to remember — which again makes passwords weaker and more easily guessed.

How to Implement Banning Common Passwords

Microsoft’s Azure AD Password Protection helps you eradicate weak passwords from your environment. It prevents your employees from using any password included on a list of the 500 most commonly used passwords (plus over a million variations of those passwords).

By default, all Azure AD password sets and resets use Azure AD password protection. To customize a list of banned password strings and to configure Azure AD password protection for Windows Server Active Directory, go to the Azure AD Active Directory, then Security, and then Authentication Methods.

You can then customize your settings, including entering your banned password strings. You should also set your smart lockout threshold, which is the number of password failure attempts a person is allowed to enter before they get locked out plus how long the lockout lasts. Then, enable password protection in Active Directory in order to extend your banned password protection to Windows Server Active Directory. Once you finalize your banned passwords, you can go from Audit mode to Enforced in order to implement.

Blacklisting Passwords on Your Local Active Directory Domain

A solution that might fit your needs best is OpenPasswordFilter (OPF), an open-source, custom password filter that rejects common passwords. It’s comprised of a custom password filter DLL and OPFService, a local user-space where you can maintain your dictionary of common passwords. It’s not a commercial option, but it provides a lot more transparency in your password filtering and ultimately more control over your security. 

Here are two good resources for installing OpenPasswordFilter:

OpenPassword filter was Yelp’s first choice (the business, not its user base), and you can read more about why here.

Getting Started

Security is one thing that should be taken very seriously at every organization. The average cost of a data breach globally is $3.86 million.[3] Can your business afford not to take action? 

If you’d like to learn more about password protection, cybersecurity and information security, as well as what your business can do to protect itself, contact Wipfli.


[1]“Digital Identity Guidelines,” NIST, June 2017, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf, accessed 2019.

[2]Hicock, Robyn, “Microsoft Password Guidance,” Microsoft, May 2016, https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf, accessed March 2019.

[3]“2018 Cost of a Data Breach Study by Ponemon,” IBM, 2018, https://www.ibm.com/security/data-breach, accessed March 2019.

Author(s)

George Pagel
George Pagel
Lead Cybersecurity Consultant
View Profile

Cybercrime: The Unseen Threat to Your Organization

Technology has revolutionized the business world, empowering organizations to solve challenges and connect with customers like never before. But it’s also given rise to a new threat: cybercrime. If your data fell into the wrong hands, would you be ready to respond with your business’s reputation — and bottom line — at stake?