Password Policy Best Practices for Strong Security in AD
A strong password policy is any organization’s first line of defense to secure your important data and systems against intruders. This document details best practices and other recommendations for strong password security.
Setting password policies in an Active Directory environment
In a Microsoft Active Directory environment, you can use Group Policy to enforce and control password requirements such as complexity, length and lifetime. The default domain password policy is located in the following Group Policy object (GPO):
Computer configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy
Starting from Windows Server 2008 domain functional level, you can define fine-grained policies for different organizational units using the Active Directory Administrative Center (DSAC) or PowerShell.
NIST password guidelines
The National Institute of Standards and Technology (NIST) offers Digital Identity Guidelines for a sound password policy, including the following:
Password complexity best practices
Many organizations require passwords to include a variety of symbols, such as at least one number, both uppercase and lowercase letters, and one or more special characters. However, such rules make passwords much harder for users to remember and type, which can lead to poor security practices like writing passwords down and to increased helpdesk calls for password resets.
Accordingly, NIST no longer recommends stringent password complexity and instead focuses on password length. Something to keep in mind, however, is that giving users a password manager enables a business to keep its complexity requirements without hurting security or productivity.
Best practices for password length
Password length is one of the most important factors in password strength. Indeed, a long coherent phrase is actually better than a short password that uses many types of characters, since short passwords can be guessed or cracked much faster. Additionally, long passphrases are easier to remember than short strings of gibberish, reducing the risk of users writing them down or suffering account lockouts.
Password expiration best practices
Previous NIST password change policy best practices recommended forcing users to change their passwords every 90 days (180 days for passphrases). However, NIST no longer recommends this policy because requiring users to change their passwords all the time can lead them to pick weak passwords or write their passwords down, which hurts your information security posture.
Instead, NIST recommends requiring user to create new passwords only in cases of suspected unauthorized access or breaches that result in personal credentials being published on the dark web, where they can be used in future cyberattacks.
NIST does not explicitly recommend the use of password managers but acknowledges their benefits. Using a password manager to create, store and enter credentials makes it easier to enforce strong password management policies, since people do not need to even know their passwords.
Supplementing passwords with MFA
Implementing multifactor authentication (MFA) improves security by making stolen or cracked passwords far less useful to adversaries. However, keep in mind that NIST recommends implementing MFA only when the company can use Google Authenticator or another authentication process that doesn't involve SMS.
Passwords especially susceptible to brute-force attacks
It’s wise to use discourage or prohibit the following passwords:
- Easy-to-guess passwords, especially the string "password"
- A series of numbers or letters in order, like “1234” or “abcd”
- A string of characters in the order in which they appear on the keyboard, like “@#$%^&”
- The same character typed multiple times, like “zzzzzz”
- A user’s given name, the name of a partner or child, or other names
- Other information easily obtained about a user, such as their address, phone number, license plate number, alma mater or family member’s birth date
- Words that can be found in a dictionary
- Default or suggested passwords, even if they seem strong
- Usernames or host names
- Any of the above followed or preceded by a single digit
- A new password that simply increments a number or character at the beginning or end of the previous password
Password requirements best practices
Administrators should be sure to:
- Configure a minimum password length.
- Enforce a password history policy with at least 10 previous passwords remembered.
- Set a minimum password age of 3 days.
- Require passwords to meet complexity requirements. This setting can be disabled for passphrases, but it is not recommended.
- Reset local admin passwords every 180 days. This can be done with the free Netwrix Bulk Password Reset tool.
- Reset service account passwords once a year during maintenance.
- For Domain Admin accounts, use strong passphrases with a minimum of 15 characters.
- Track all password changes using a solution such as Netwrix Auditor for Active Directory.
- Create email notifications for password expiration. This can be done with the free Netwrix Password Expiration Notifier tool.
- Instead of editing the default settings in the domain policy, create granular password policies and link them to specific organizational units.
Additional password and authentication best practices
- Enterprise applications must support authentication of individual user accounts, not groups.
- Enterprise applications must protect stored and transferred passwords with encryption to help keep hackers from cracking them.
- Users (and applications) must not store passwords in clear text or in any easily reversible form, and must not transmit passwords in clear text over the network.
- Use MFA judiciously to mitigate the security risks of stolen and mishandled passwords.
- When employees leave the organization, change the passwords for their accounts even if you disable the accounts.
- Reduce user frustration and helpdesk workload by helping users choose new passwords that meet requirements, proactively reminding them of impending password expiration, and allowing them to change their password in a web browser.
In addition, be sure to educate your users about the following:
- It is vital to remember your password without writing it down somewhere, so choose a strong password or passphrase that you will easily remember. If you use a password management tool, choose a strong master key and remember it.
- Be aware of how passwords are sent across the internet. URLs (web addresses) that begin with “https://” rather than “http://” are more likely to be secure for use of your password.
- If you suspect that someone else may know your current password, change it immediately.
- Don’t type your password while anyone is watching.
- Do not use the same password for multiple websites containing sensitive information.
How Netwrix can help
Enforce strong password policies
Ensuring that user credentials meet high standards and are managed safely is foundational to enterprise security and therefore a core requirement of many compliance mandates. Netwrix Password Secure empowers you to securely manage passwords, replace weak ones with strong alternatives, enforce appropriate password policies for different teams, manage privileged access and audit password usage. Moreover, it synchronizes passwords across platforms and devices so users can access them securely from anywhere, even offline, and log in simply by clicking the browser extension, enabling them to easily comply with strong password policies instead of looking for workarounds. As a result, you can strengthen security and compliance while enhancing productivity.
In complex environments, it is recommended to enforce granular password policies for both regular and privileged users so that IT administrators can quickly respond to new requirements and minimize the risks of compromises due to weak or stolen passwords. Netwrix Password Policy Enforcer empowers admins to easily enforce strong password policies and significantly reduces the policy management workload on tech staff.
Audit activity related to password policy
Regular auditing of events can help you ensure your password policies are protecting your systems against attacks. Events related to Windows Server password policy are recorded in the Security Event Log on the default domain controller. By reviewing these logs, system administrators can determine who made changes to password policy settings, and when and where (on what domain controller) each change happened. For additional important tips on auditing password policy GPOs, see the Active Directory Group Policy Auditing Quick Reference Guide.
However, native auditing tools won’t show you the most critical details, such as the name of the Group Policy object in which password policy was changed and the type of action that was performed. Moreover, it’s nearly impossible to understand which policies apply to which groups and identify discrepancies. For effective password policy management, you need software that provides more insight into password policy modifications, such as Netwrix Auditor for Active Directory.