You’re the security experts – it’s time to go passwordless!
Get onboard with best practices by throwing away enforced password resets, among other things.
With cybersecurity, as with all technology, the only constant is change. So, if you haven’t reviewed your password policies for a while, now is an ideal time, as both National Institute of Standards and Technology (NIST) and Microsoft have some best practice recommendations that might surprise you.
A mainstay of corporate password policy has been regular enforced password changes. For years, users have inundated service desks with calls regarding forgotten passwords. Meanwhile, other users have grown accustomed to simply incrementing the number at the end of their password to ensure they are not the next caller.
Well, it turns out that hackers are pretty good at seeing these patterns. So, if they get ahold of a password ‘mysuperpassword11’ and it doesn’t work on the first attempt, they might try ‘mysuperpassword12’ and be successful. Based on research, both NIST and Microsoft consequently have been recommending not using periodic password resets for a number of years and to use them only when there is evidence of a compromise. With Microsoft Azure Active Directory, this functionality and the ability to block bad passwords are built-in. This functionality can extend to on-premises Active Directory using Azure AD Password Protection for Active Directory Domain Services.
According to Microsoft, the primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard-to-guess passwords. The following are recommendations for keeping your organisation as secure as possible.
- Maintain an eight-character minimum length requirement.
- Don’t require character composition requirements – for example, *&(^%$.
- Don’t require mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users to not reuse their organisation passwords for non-work-related * purposes.
- Enforce registration for multifactor authentication (MFA).
- Enable risk-based MFA challenges.
If you’re using Microsoft Office 365, then it’s pretty easy to enable MFA, which we think is one of the biggest improvements you can make to your password hygiene.
Due to the inherent issues with passwords, Microsoft is further recommending that companies move to passwordless authentication. This allows users to prove who they are without using passwords. Examples include Windows Hello, which uses biometrics; a physical FIDO key; or the Microsoft Authenticator app. The result means greater convenience for your end users and improved security. This is available today – now! – for companies using Azure AD. If you need help, reach out to Tikabu today and we will get you sorted.
For further reading, check out: