First and foremost, I would like point out that a password policy is only as good as the settings that you select. For example, you could pay a company millions of dollars for the most secure password policy in the world, but if you do not enable settings that will make a password secure, the policy is pointless to use. Furthermore, if you are comfortable with your users having the following password requirements, then the default Windows Password Policy is for you:
- Minimum of six characters long
- Contain a combination of at least three of the following characters: uppercase letters, lowercase letters, numeric, and special characters
- Does not contain the user’s name
With the previous password policy, these passwords would be allowed:
Do any of these seem like secure passwords? No. But they are being allowed using the Windows Password Policy. The basic password policy in Windows is from the first release of Windows NT in 1993 and in Windows 2000 they added a “password complexity” rule. I think we can all agree that this does not sound like an up to date password policy.
According to the 2015 Trustwave Global Security Report, 77% of passwords hacked were in compliance with Windows Active Directory password policy. This should be enough of a reason for you to enforce a more secure password policy for your company. Here are the minimum recommendations that we suggest:
- Minimum of 15 characters long
- Require all 4 character sets
- Requiring a password change every 90 days
- Enforce a password history of the past 12
- Enforce a minimum password age of 1 week
- Enforcing a dictionary check for each password
Here are some insights on why I suggested the above bullet points:
- Passwords that are 15 characters or greater are the most secure to use because of how the passwords are stored on a network.
- When you require all 4 character sets, you are preventing a user from selecting an easy password since they are having to use upper and lowercase letters, numbers, and special characters. Requiring all 4 also increases the password’s entropy.
- Although there are many articles recently mentioning that users should only change their password once a year, we do not agree. Updating your password ensures that a hacker will never have enough time to crack your complex password.
- Enforcing a password history of 12 and a minimum password age of 1 week work hand in hand with each other. Remembering the last 12 passwords helps to ensure a user will not select the same exact password. Enforcing a minimum password age of 1 week helps to ensure that a user will not sit at their computer and in 5 minutes have cycled through 12 password changes to keep their initial password.
- Enforcing a dictionary check for each password will prevent easy words like password, summer, and other common words from being used as a password. It is also a good idea to customize the dictionary checking to include your company’s name, industry-specific terms, and local sports teams. Read how to create a hack-proof dictionary here.
Microsoft Password Complexity does not allow a company to go to the extent of our recommended password settings. Our recommendations are here to help guide you towards a more secure policy that will decrease your risk of being the victim of a data breach. All of these recommendations that I suggested can be fully executed with the use of the nFront Password Filter software.