Password Policy Best Practices
Keep your passwords strong
- Use a minimum of 10 symbols, including numbers, both uppercase and lowercase letters, and special symbols.
- Even better, use passphrases consisting of a minimum of 15 symbols using letters and numbers.
Avoid common password weaknesses
- Easy-to-guess passwords, especially "password"
- Your name, the name of your spouse or partner name, or other names
- A string of numbers or letters like “1234” or “abcd”, or simple patterns of letters on the keyboard, like “asdfg”
- Your phone number or your license plate number, anybody’s birth date, or other information easily obtained about you (e.g., your address, town or alma mater)
- Passwords of all the same letter
- Words that can be found in the dictionary
- Default passwords, even if they seem strong
- Any of the above followed or preceded by a single digit
Protect your password
- It is vital to remember your password without writing it down somewhere, so choose a strong password or passphrase that you will easily remember. If you have a lot of passwords, you can use password management tools, but you must choose a strong master key and remember it.
- Be aware of how passwords are sent securely across the Internet. URLs (web addresses) that begin with “https://” rather than “http://” are more likely to be secure for use of your password.
- If you suspect that someone else may know your current password, change it immediately.
- Change your password periodically (every 90 days for a strong password, every 180 days for a passphrase), even if it hasn't been compromised.
- Don't type your password while anyone is watching.
- Avoid using the same password for multiple websites containing sensitive information.
Follow password policy best practices for system administrators
- Configure a minimum password length of at least 10 characters for passwords or 15 for passphrases.
- Enforce password history, with at least 10 previous passwords remembered.
- Set a minimum password age of 3 days.
- Set a maximum password age of 90 days for passwords and 180 days for passphrases.
- Enable the setting that requires passwords to meet complexity requirements. This setting can be disabled for passphrases but it is not recommended.
- Reset local admin passwords every 180 days. This can be done with the free Netwrix Bulk Password Reset tool.
- Reset service accounts passwords once a year during maintenance.
- For domain admin accounts, use strong passphrases with a minimum of 15 characters.
- Track all password changes by enabling password audit policies. This can be done with Netwrix Auditor for Active Directory.
- Create email notifications for password expiration. This can be done with the free Netwrix Password Expiration Notifier tool.
Active Directory Password Policy GPO Overview
The most common way to authenticate user identities in operating systems and databases is to use a password or passphrase. A secure computer network environment requires all domain users to use strong passwords. The Microsoft Active Directory Password Policy feature enables organizations to enforce the use of strong passwords through appropriate password and account lockout policies. You can even define different policies and for different sets of users in a domain. You can enforce the use of strong passwords through an appropriate password policy GPO on your Windows Server. Various domain password policy settings control password complexity and lifetime, requirements, such as the “Passwords must meet complexity requirements” policy setting.
Active Directory Password Policy Settings Audit
Planning is critical to the password auditing process. Administrators must be selective about which objects to audit because auditing creates system overhead; auditing too many objects in AD will cause the security log to become large and reduce audit capabilities by overwriting itself. In addition, rather than editing the default domain policy, create one or more new policies and attach them to the specific organizational units (OUs) that you need to audit. For additional important tips on password policy GPO auditing, see our Active Directory Group Policy Auditing Quick Reference Guide. Events related to Windows server password policy are recorded in the security event log on your default domain controller. By reviewing these logs with the help of Windows Event Viewer, IT administrators can determine who made changes to password policy settings in a Windows Server domain, and when and where (on what domain controller) each change happened. However, native auditing tools don’t show critical details, such as the name of the Group Policy password policy that was changed and the type of action that was performed. To perform domain policy management faster and easier, you need additional software that provides more insight into password policy modifications, such as Netwrix Auditor for Active Directory.