Top 5 Password Policy Mistakes
Every day when I speak to various members of IT departments that are interested in the nFront Password Filter, there are a few common topics that we speak about during our conversations. First, he or she will mention that they have a written password policy that every employee is instructed to follow. They will further mention that they educate their users to make smart password choices, and they have periodic meetings and emails sent to their employees that cover the importance of IT security.
They hope that having a written password policy is enough, but they know by the reports they get through penetration tests that their employees are not following the password policy as instructed. This is one of many common password policy mistakes. We think that all employees will follow the password policy we create. Instead, a Windows based password filter is needed to ensure that employees make smart password choices and keep the network secure.
Below are some of the common password policy mistakes we encounter.
1. Assuming users follow a written password policy
While user education and ongoing communication are important, you cannot trust all users to follow advice and guidelines. For example, you may tell users they must use all four character types (lower, upper, numeric, and special). However, Windows cannot require all four character types without using a third-party password filter. The Windows password complexity rule will only enforce 3 of 4 character sets. Thus, users can bypass the requirement. In fact, most studies show complexity-based rules are not effective for increasing password strength. This is because it is human nature to create easy patterns. When told to include a number, users typically add the number “1” to the end of the password. When told to include a special character, over 90% of users will simply add an exclamation to the end of the password because it is the character above the number 1 on a US keyboard.
2. Assuming Web-based password change mechanisms are not bypassed
Recently I was on a call with a large hospital. They explained that thier users typically change their password via a web-based system that has rules for dictionary checking, checking against breached passwords, etc. I then asked if the users can change usign CTRL-ATL-DEL + Change Password on their workstations. Of course they can and when they do so the web-based requirements are completely bypassed.
3. Not checking passwords for dictionary words
Most corporate password policies tell users not to use dictionary words. However, the built-in Windows domain password policy cannot enforce such a policy without a third-party password filter.
Dictionary checking goes beyond the words found in a typical Webster’s dictionary. A dictionary blacklist should be easily customizable and should include terms like the company name, products, brands, industry vernacular, any older or default passwords assigned in the past, names of local restaurants, attractions, sports teams, etc.
4. Not checking against breached passwords
Checking against breached passwords is a fantastic idea. Why would you allow employees to use a password that has already been breached (i.e. cracked, leaked, etc.) on the Internet? Hackers often use “password spray” attacks where they try breached passwords against your systems and cloud systems with usernames from your company. While some web-based systems can check agasint breached passwords, it is not possible for Windows to check against breached passwords when user’s do a native password change using CTRL-ALT-DEL (unless you use a 3rd party password filter).
5. Not realizing weak internal passwords = weak cloud passwords
If your network allows weak and easily hacked passwords on internal systems, there is a high probability your users are using the same exact passwords for cloud service accounts with systems like CRMs, POS, and signature systems.
Here is a great example from back in 2015. We were contacted by a title company about our software. A real estate agent had used the password “Summer2015” for her laptop. Of course, since the company policy allowed the password, she used the same password for DocuSign. As you may have guessed, a hacker got into her laptop and tried the same password with various online accounts. Once they saw they could access DocuSign, they switched out some documents there and had an $80,000 wire transfer go to their bank account. That is a very, very expensive password.
The Windows Active Directory password policy has oversimplified controls and allows for too many weak password choices. In this modern age, you must implement more robust password policy controls. While passwords may seem boring, they are one of the first lines of defense against malware, phishing, ransomware, etc. Running expensive firewalls and monitoring tools are useless if you are allowing passwords like Password123 and CompanyName2024.