How to Use Active Directory Best Practices for Safe Passwords

For many years IT professionals have used password age as a means of securing the network. Once a password reaches a certain age (number of days or months), the user is forced to change it. However, in Active Directory, the password settings can be limited. 

As the number of data breaches and hacking incidents soars, best practices have changed to meet the increased risk. When you are responsible for an organization's password security, it's critical to know all the tricks to ensure you are using best practices for safe passwords and keeping hackers out. 

What the Experts Say

There is a lot of contention surrounding password aging as a security mechanism. Various cybersecurity experts have differing views on the subject. Notably, Microsoft has changed its policy regarding password expiration in Windows 10 v1903 and Windows Server v1903.

According to the Hacker News, an update to the Digital Identity Guidelines – Authentication and Lifecycle Management says, "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

They elaborated their reasoning: "Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets have been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier's hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time."

Active Directory Password Defaults

Active Directory allows for password age in the policy configuration, and as a default, you have only the following settings available to you: 

• Enforce password history.
• Maximum password age.
• Minimum password age.
• Minimum password length.
• Minimum password length audit.
• Password must meet complexity requirements.
• Store passwords using reversible encryption.

When you set the minimum and maximum age options, you can see the following explanation of how it works: "This security setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If the maximum password age is between 1 and 999 days, the minimum password age must be less than the maximum password age. If the maximum password age is set to 0, the minimum password age can be any value between 0 and 998 days."

Forcing a new password after a certain amount of time seems like a solid idea, but the problem is human beings. It's very difficult for people to remember long, complex passwords or randomly generated passwords, so they tend to use weak, guessable passwords they can remember. This habit creates a security risk to the entire organization.

Specops has created software that works with Active Directory giving IT professionals and network managers better tools to set passwords. One of the recommended options is to use password aging based on the length of the password or complexity. For weak passwords, it can expire them quickly and force a reset. Longer, more secure passwords may be allowed to exist for much longer.

Some of the options when using this add-on include the ability to set a number of different expiration levels based on password quality. You can even set the number of characters per level. Another setting allows you to add extra days for specific levels, and you can even disable expiration for levels that you feel are secure and can remain the same for the time being.

You have complete control over setting when the user receives a notification to change their password either via pop-up or email. Whenever you make changes to the min/max aging in Active Directory, the changes will cascade into Specops as well. The Specops add-on also integrates features to use "breached passwords" and compare those with users' in Active Directory, adding an additional layer of password security. 

The Bottom Line

Although more cybersecurity experts are changing their stance on password aging, with the dangers looming, you cannot do enough to keep your network secure and attack-free. It's essential to review best practices frequently because as these threats increase, things may need to change even further.