SysAdmin MAGAZINE

Secure Password
Management:
Best Practices
 Contents SysAdmin Magazine April 2023

SysAdmin

Magazine Contents

74
3 Tips for Better Password Management
№ April ‘23

6 NIST Password Guidelines

SysAdmin Magazine is a free 9 Finding Weak Passwords in Active Directory

source of knowledge for IT Pros
who are eager to keep a tight
grip on network security and do
12 Passwordless Authentication with Windows Hello for Business
the job faster.
15 How to: Detect Password Changes in Active Directory

16 Tool of the Month: Netwrix Password Policy Enforcer

The Sysadmin Magazine team

[email protected]

2
 Contents
Tips for Better
Password
Management
Joe Dibley
Security Researcher at Netwrix
Even as more advanced forms of authentication, such as
biometrics, are developed and implemented, passwords
continue to be a commonly used form of authentication.
This is partly due to the fact that they are relatively simple
to implement and require little infrastructure to support.
However, the fact that they are so widely used also means
that they are a common target for hackers, which is why it’s
so important to use strong, unique passwords and manage
them properly.
However, it’s hard for people to remember many strong
passwords, so they often write them down or store them
in unsecured locations, which is a huge security risk.
Accordingly, it’s important to educate all users about best
practices for password management.
3
In short, the problem with passwords is that it’s a trade-off
between security and convenience. The use of passwords
will never be 100% foolproof, but with education and
proper tools, you can make it more difficult for hackers to
gain access to your sensitive information and systems.
What should be considered
in a good password
▪ Create and enforce a policy requiring the use of
strong passwords. According to latest NIST best
practices, password length contributes to far more to
password security than complexity, so there is no need
to require a combination of uppercase and lowercase
letters, numbers, and special characters for passwords;
in fact, a short password, even a complex one, will take
a hacker less time to crack than a long one with less
complexity, and it will harder for the user to remember.
It is still recommended to avoid using easily guessable
information and to test new passwords against a
dictionary of compromised passwords.
▪ Implementing two-factor authentication (2FA) or
SysAdmin Magazine April 2023
multi-factor authentication (MFA) is a very good idea
as it adds an extra layer of security by requiring a second
form of identification, such as a fingerprint or a code
sent to the user’s phone, in addition to a password.
▪ It’s important for users to avoid using a single
password for multiple accounts and sites. If a hacker
gains access to a username and password combination,
then they will often try to reuse those digital credentials
against different services to further their access.
▪ Change your passwords if you suspect a breach.
While it is no longer recommended to force users to
change their password frequently, changing passwords
that might have been compromised reduces the risk
of accounts being taken over by someone who has
obtained the current passwords.
▪ Educate users. To protect your data and maintain the
integrity of systems and services, it’s important for users
to be regularly trained on managing their passwords
and on how to spot and respond to phishing and other
attack techniques.
▪ Avoid accessing sensitive information or other IT
resources on public networks. Using a virtual
private network (VPN) can also help encrypt your
internet connection and protect your data from being
intercepted by hackers.
 Contents
▪ It’s also important to keep your software and devices
updated and patched to ensure that you have the
latest security features and that known vulnerabilities,
especially those that are being actively exploited, are
promptly mitigated.
▪ Consider investing in a good password management
solution. These tools provide an easy way to create,
store and manage passwords and other sensitive
information, and some can even integrate with browsers
and other systems for added convenience. This enables
your users to use strong, unique passwords for each of
their accounts without having to remember them all.
While following these tips on how to manage passwords
cannot guarantee that your accounts will never be hacked,
they will significantly reduce the risk of a successful attack.
Choosing an effective
password management
solution
When selecting a password manager, it’s important to find
4
a solution that is easy to use and provides good protection.
Ultimately, the best password management solution for
you will depend on your specific needs and preferences,
so it’s better to evaluate several and choose the one that
best meets your requirements. Here are the key criteria to
evaluate:
▪ Security. The most important consideration when
assessing a password management solution is security.
It should use strong encryption to protect your password
data and should have been independently audited for
security vulnerabilities. Also research whether (and
how often) the vendor has been breached and how it
responded.
▪ User-friendliness. The solution should be easy to use,
with a clear and intuitive user interface that makes it
easy to create, store and manage passwords.
▪ Compatibility. The password manager should work on
a variety of devices and operating systems and support
all of the browsers you use.
▪ Auto-fill during login. This feature saves time and
effort by automatically filling in your credentials on
websites and apps.
▪ Multifactor authentication. The password manager
should support MFA as an added layer of security to
protect your data.
SysAdmin Magazine April 2023
▪ Backup and recovery. The password manager should
include a way to back up and restore your password
data in case of data loss.
▪ Secure sharing options. The solution should provide
secure options for sharing passwords with team (or
family) members, if necessary.
▪ Reporting and analytics. This feature can be beneficial
in providing insight into how passwords are being
used, including who’s accessing them and when, and
for detecting and alerting you about potential security
breaches.
▪ Customer support and price. The price of the
solution should be reasonable for the budget you have
reserved. In addition, the software vendor should have
a reputation for providing good customer support to
assist you in case you need help getting started or run
into any issues later.
▪ Regular updates. It’s important to choose a solution
that is frequently updated to include new features and
address security vulnerabilities.
 Contents SysAdmin Magazine April 2023

Password Security and

Management Made Easy
with Netwrix GUIDE
Secure management of user credentials is essential for FREE GUIDE
enterprise security and a fundamental requirement for

Password Policy
compliance with many standards and regulations. Netwrix
Password Secure is an enterprise password management
solution that enables you to eliminate weak passwords,
implement password policies for specific teams and pass
compliance audits more easily — all while simplifying
Best Practices for
password management for both business users and IT
teams. Users can even securely share passwords, keys,
Strong Security in
profiles and other secrets with their teammates.
AD
Free Download

5
 Contents
NIST Password
Guidelines
Joe Dibley
Security Researcher at Netwrix
What are NIST Password
Guidelines?
Since 2014, the National Institute of Standards and
Technology (NIST), a U.S. federal agency, has issued
guidelines for managing digital identities via Special
Publication 800-63B. The latest revision (rev. 3) was released
in 2017, and has been updated as recently as 2019. Revision
4 was made available for comment and review; however,
revision 3 is still the standard as of the time of this blog post.
Section 5.1.1 – Memorized Secrets provides recommenda-
tions for requirements around how users may create new
passwords or make password changes, including guide-
6
lines around issues such as password strength. Special
Publication 800-63B also covers verifiers (software, web-
sites, network directory services, etc.) that validate and
handle passwords during authentication and other pro-
cesses.
Not all organizations must adhere to NIST guidelines.
However, many follow NIST password policy
recommendations even if it’s not required because they
provide a good foundation for sound digital identity
management. Indeed, strong password security helps
companies block many cybersecurity attacks, including
hackers, brute force attacks like credential stuffing and
dictionary attacks. In addition, mitigating identity-related
security risks helps organizations ensure compliance with
a wide range of regulations, such as HIPAA, FISMA and SOX.
Quick List of NIST
Password Guidelines
This blog explain many NIST password guidelines in detail,
but here’s a quick list:
▪ User-generated passwords should be at least 8 characters
in length.
SysAdmin Magazine April 2023
▪ Machine-generated passwords should be at least 6
characters in length.
▪ Users should be able to create passwords at least 64
characters in length.
▪ All ASCII/Unicode characters should be allowed, including
emojis and spaces.
▪ Stored passwords should be hashed and salted, and
never truncated.
▪ Prospective passwords should be compared against
password breach databases and rejected if there’s a
match.
▪ Passwords should not expire.
▪ Users should be prevented from using sequential
characters (e.g., “1234”) or repeated characters (e.g.,
“aaaa”).
▪ Two-factor authentication (2FA) should not use SMS for
codes.
▪ Knowledge-based authentication (KBA), such as “What
was the name of your first pet?”, should not be used.
▪ Users should be allowed 10 failed password attempts
before being locked out of a system or service.
▪ Passwords should not have hints.
▪ Complexity requirements — like requiring special
characters, numbers or uppercase letters — should not
be used.
▪ Context-specific words, such as the name of the service
or the individual’s username, should not be permitted.
 Contents
You probably notice that some of these recommendations
represent a departure from previous assumptions and
standards. For example, NIST has removed complexity
requirements like special characters in passwords; this
change was made in part because users find ways to
circumvent stringent complexity requirements. Instead of
struggling to remember complex passwords and risking
getting locked out, they may write their passwords down
and leave them near physical computers or servers. Or they
simply recycle old passwords based on dictionary words by
making minimal changes during password creation, such as
incrementing a number at the end.
NIST Guidelines
Now let’s explore the NIST guidelines in more detail.
Password length & processing
Length has long been considered a crucial factor for
password security. NIST now recommends a password
policy that requires all user-created passwords to be at
least 8 characters in length, and all machine-generated
passwords to be at least 6 characters in length. Additionally,
7
it’s recommended to allow passwords to be at least 64
characters as a maximum length.
Verifiers should no longer truncate any passwords during
processing. Passwords should be hashed and salted, with
the full password hash stored.
Also the recommended NIST account lockout policy is to
allow users at least 10 attempts at entering their password
before being locked out.
Accepted characters
All ASCII characters, including the space character, should
be supported in passwords. NIST specifies that Unicode
characters, such as emojis, should be accepted as well.
Users should be prevented from using sequential characters
(e.g., “1234”), repeated characters (e.g., “aaaa”) and simple
dictionary words.
Commonly used & breached
passwords
Passwords that are known to be commonly used or com-
promised should not be permitted. For example, you should
SysAdmin Magazine April 2023
disallow passwords in lists from breaches (such as the Have
I Been Pwned? database, which contains 570+ million pass-
words from breaches), previously used passwords, well-
known commonly used passwords, and context-specific
passwords (e.g., the name of the service).
When a user attempts to use a password that fails this
check, a message should be displayed asking them for a
different password and providing an explanation for why
their previous entry was rejected.
Reduced complexity & password
expiration
As explained earlier in the blog, previous password
complexity requirements have led to less secure human
behavior, instead of the intended effect of tightening security.
With that in mind, NIST recommends reduced complexity
requirements, which includes removing requirements for
special characters, numbers, uppercase characters, etc.
A related recommendation for reducing insecure human
behavior is to eliminate password expiration.
 Contents
No more hints or knowledge-based
authentication (KBA)
Although password hints were intended to help users to
create more complex passwords, users often choose hints
that practically give away their passwords. Accordingly, NIST
recommends not allowing password hints.
NIST also recommends not using knowledge-based
authentication (KBA), such as questions like “What was the
name of your first pet?”
Password managers & two-factor
authentication (2FA)
To account for the growing popularity of password
managers, users should be able to paste passwords.
SMS is no longer considered a secure option for 2FA. Instead,
one-time code provider, such as Google Authenticator or
Okta Verify, should be used.
8
SysAdmin Magazine April 2023
How Netwrix Can Help
Netwrix offers several solutions specifically designed
to streamline and strengthen access and password
management:
FREE GUIDE
Netwrix Password Policy Enforcer makes it easy to create
Kickstart Guide
strong yet flexible password policies that enhance security
and compliance without hurting user productivity or
burdening helpdesk and IT teams.
Netwrix Password Reset enables users to safely unlock their
to Implementing
own accounts and reset or change their own passwords,
right from their web browser. This self-service functionality
the NIST
dramatically reduces user frustration and productivity
losses while slashing helpdesk call volume.
Cybersecurity
Free Download
 Contents
Finding Weak
Passwords in
Active Directory
Jeff Warren
Security Expert, SVP of Products at Netwrix
Knowing the credentials for any user account in your network
gives an adversary significant power. After logging on as a
legitimate user, they can move laterally to other systems and
escalate their privileges to deploy ransomware, steal critical
data, disrupt vital operations and more.
Most organizations know this, and take steps to protect user
credentials. In particular, they use Active Directory password
policy to enforce password length, complexity and history
requirements, and they establish a policy to lock out an
account after a certain number of failed logon attempts. So
they’re safe, right?
Unfortunately not. Even with these controls in place, many
people choose easily guessable passwords like Winter2017 or
Password!@# because they comply with company standards
9
SysAdmin Magazine April 2023
but are easy to remember. These weak passwords leave the
organization vulnerable to one of the simplest attacks that Step 1. Check the Active Directory
adversaries use to gain a foothold in a network: guessing. password policy and lockout policy
You might be surprised at just how well this strategy works. To avoid lockouts, attackers need to know how many
Let’s walk through an example of a password guessing attack, bad passwords they can guess per account. And to pick
and then explore how you can assess your vulnerability and passwords that are likely to work, they need to know the
strengthen your cybersecurity. company’s AD password policy. CrackMapExec gives them
both. Here is an example of the output it provides:
How a password spraying
attack works
In a password spraying attack, the adversary picks one
commonly used password and tries using it to log on to each
account in the organization. Most attempts will fail, but a
single failed logon for an account will not trigger a lockout.
Now the attacker knows that in this environment, they
If all the attempts fail, they simply try again with the next
have 9 guesses at each user’s password without triggering
password in their arsenal. If they find a password that was
a lockout. They can also see that the minimum password
chosen by just one user in your organization, they’re inside
length is 5 characters and password complexity is enabled;
your network, poised to wreak havoc.
this information can be used to craft a custom dictionary
of candidate passwords without wasting guesses on
One way an attacker can perform a password spraying attack
passwords that would have been rejected by the policy.
is with CrackMapExec, a utility that’s fee to download from
(Alternatively, they can use one of multiple password lists
Github. CrackMapExec comes bundled with a Mimikatz
created using password dumps from data breaches, which
module (via PowerSploit) to assist with credential harvesting.
are also readily available on GitHub.)
Here’s how the attack works:
 Contents SysAdmin Magazine April 2023

Step 2. Enumerate all user accounts

Discovering your weak
Next, the adversary needs a list of accounts to try the passwords against. They can easily extract a list of all user accounts with an
LDAP query, or they can use the rid-brute feature of CrackMapExec, as follows:
passwords
As you can see, attackers with no access rights in your
environment have a very effective way to compromise
your AD accounts: simply guessing their plaintext
passwords. You may be wondering just how vulnerable
your organization is to such attacks.

To find out, you can use the DSInternals command Test-

PasswordQuality. It will extract the password hashes for
all your user accounts and compare them against the
password hashes for a dictionary of weak passwords.

Step 3. Try each password against all user accounts

Here is the command you can issue to run the analysis.
With a list of all AD user accounts (users.txt) and a list of candidate passwords (passwords.txt), the adversary simply needs to issue It can be run remotely and will extract password hashes
the following command: using DC replication similar to the DCSync Mimikatz attack.

This command will try each password against each account until it finds a match:

10
 Contents SysAdmin Magazine April 2023

How Netwrix can help

At the top of the output report is a list of accounts stored with reversible encryption.
you defend against weak
passwords
While Microsoft password policy enables you to put some
constraints in place, it is not sufficient to prevent your
users from choosing passwords that adversaries can easily
guess. Netwrix offers an Active Directory security solution
that enables you to require strong passwords. Even better,
it enables you to secure your Active Directory from end to
end. You can:
Then the report lists all accounts whose passwords were found in the dictionary:
▪ Identify and mitigate vulnerabilities in your Active
Directory, including not just weak passwords but
excessive permissions, shadow admins, stale accounts
and more.
▪ Enforce strong password policies and also control AD
configurations and permissions to prevent credential
theft.
▪ Detect even advanced threats to stop bad actors before
they can complete their mission.
▪ Instantly contain a security breach with automated
response actions, minimizing the damage to your
business.
▪ Roll back or recover from malicious or otherwise
improper changes with minimal downtime.

11
 Contents SysAdmin Magazine April 2023

Passwordless Smartphones and tablets moved away from passwords

long ago; today, most people sign into these devices with
Testing Windows Hello for
Business
Authentication
their face or fingerprint. But what options are available
for corporate networks? Microsoft now offers Windows
Hello for Business, which enables users to log in without
Step 1. Set up a hybrid lab
with Windows a password. Instead, they provide two authentication two
factors: something they have (their device), plus either
My goal was to be able to log into a device without a pass-

Hello for
something they know (a PIN) or something they are (bio-
word and then access both an on-premises resource (a
metrics). This approach is clearly far more secure than us-
file share) and a cloud resource (SharePoint Online) with-
ing passwords. With WHfB in place, in order to steal a us-

Business
Jeff Warren
Security Expert, SVP of Products at Netwrix
Passwords are everywhere — and nobody likes them.
For users, they are a pain to remember and manage. For
businesses, they continue to be a primary source of data
breaches, both on premises and in the cloud. In fact, the
2022 Verizon DBIR reports that credential theft was in-
volved in nearly half of all cyberattacks, including third-par-
ty breaches, phishing attacks and basic web application at-
tacks.
out being prompted to enter a password. Accordingly, my
er’s identity, an adversary would have to obtain that user’s
lab consisted of:
laptop or phone. In contrast, a hacker has a number of far
easier paths for stealing traditional user passwords, such ▪ An on-premises domain controller and a file server run-
as extracting the Ntds.dit file from any domain controller. ning Windows Server 2016 and a member workstation
running Windows 10, all joined to the same AD domain
But how well does Windows Hello for Business actually ▪ An Azure AD domain with Azure AD Premium licenses
work? To find out, I set up a lab in my hybrid AD envi- ▪ Azure AD Connect synchronizing users and hashes; no
ronment and put WHfB through its paces. This article ex- AD Federation Services
plains what I did — and the five key conclusions I was able ▪ Azure AD-joined devices through Intune with the Edge
to draw about its benefits and limitations. browser
Step 2. Deploy Windows Hello for
Business
Windows Hello for Business offers multiple deployment
models. The best option for you will depend on multiple

12
 Contents
factors, including whether you have an on-prem, cloud-on-
ly or hybrid environment, what operating system versions
you’re running, and whether you manage certificates on
user devices.
I chose the Hybrid Azure AD Key Trust deployment model.
(Note that this model does not support remote desktop
connections, but that was not a concern for me since I use
Netwrix Privilege Secure for that.)
This blog is not intended to be an in-depth guide on how
to deploy Windows Hello for Business, but here are some
tips for success:
▪ Set up your on-premises and Azure AD domains and
connect them with Azure AD Connect. I enabled pass-
word-hash synchronization with single sign-on (SSO).
▪ Ensure Azure device registration is set up so you can
auto-register your devices.
▪ Set up your certificates the right way on your DCs, in-
cluding setting up a Certificate Revocation List (CRL).
▪ Configure your clients to enroll in Windows Hello for
Business. This can be done through Intune if you are
managing your devices there or through GPOs if you
aren’t.
▪ Users will be prompted to register their device and se-
lect a PIN:
13
SysAdmin Magazine April 2023
Five thoughts on going
passwordless with WHfB
Here are my top observations after using WHfB for pass-
wordless authentication in a hybrid environment.
#1. Passwordless does not mean no
more passwords
Microsoft lists the elimination of passwords as Step 4 in
their passwordless strategy, but that is not something that
can be expected with WHfB in a hybrid AD environment.
Still, users will have to type their passwords only once a
week or once a month, rather than 10 times a day, so you
Bonus tip: Get ready to run “dsregcmd /status /debug”
might be able to require stronger passwords since your
at least 100 times as you work through what is and
users don’t have to use them often.
isn’t working while trying to get your devices registered
appropriately!
Ideally, you could get to the point where users don’t know
their passwords, but they will still be there, lurking in the
Once I finished the deployment, I could log into my de-
shadows of your on-premises Active Directory environ-
vice with a PIN and then access SharePoint Online and
ment.
on-premises file shares without being prompted for logon.
 Contents SysAdmin Magazine April 2023

#2. A lot depends on your needs
The value of Windows Hello for Business depends on the
specifics of your environment. It worked great in my lab
for connecting to Microsoft 365 and network file shares
without any password prompt. If you have custom web
apps and lots of cloud apps, start by getting them into Azure
SSO; that’s outside the scope of this research but it seems
to have broad coverage and a web application proxy for
custom on-prem web apps.
#3. Password attacks are still a thing
Since WHfB does not eliminate passwords, it does not
eliminate your risk from password-based attacks like
password spraying. Therefore, you still need a good
password security strategy for both human and non-human
accounts. Netwrix Password Policy Enforcer can help by
enabling you to:
#4. Lateral movement is still a thing
Windows Hello for Business does not eliminate pass-the-
hash, pass-the-ticket and other lateral movement attacks,
nor does it block Golden Tickets and other privilege
escalation techniques. Since those tactics take advantage of
non-interactive logons, they are outside the scope of WHfB. HOW TO
#5. Passwordless is a great way
to go. Get there as soon as you
Find Last
reasonably can Password Change
I definitely recommend evaluating WHfB if you are
using Azure and already own licenses for the necessary
Date
components. It makes signing in easy, and you can improve
your password security measures without user friction. In Learn More
addition, users will start to find it weird when they are asked
to enter their password, which will make them less likely to
expose their credentials in attacks such as phishing scams.

▪ Create multiple password policies with powerful policy

rules
▪ Block the use of leaked passwords
▪ Help users choose compliant passwords

14
 Contents SysAdmin Magazine April 2023

How-to for IT Pro

HOW TO: DETECT PASSWORD CHANGES IN
ACTIVE DIRECTORY

1. Run GPMC.msc (url2open.com/gpmc) -> open "Default

Domain Policy" -> Computer Configuration -> Policies ->
Windows Settings -> Security Settings -> Local Policies ->
Audit Policy:

▪ AAudit account management -> Define -> Success

and Failure.

2. Run GPMC.msc -> open "Default Domain Policy" -> Com-

puter Configuration -> Policies -> Windows Settings -> Se-
curity Settings ->Event Log -> Define:

▪ Maximum security log size to 1GB

▪ Retention method for security log to Overwrite
events as needed

3. Open Event viewer and search Security log for event id’s:
628/4724 – password reset attempt by administrator and
627/4723 – password change attempt by user.

15
 Contents SysAdmin Magazine April 2023

ц
FRUSTRATE HACKERS, SATISFY AUDITORS AND DELIGHT USERS WITH PASSWORD POLICY ENFORCER

TOOL OF THE MONTH ▪ Choose among dozens of strong, detailed password ▪ Empower IT admins to easily enforce multiple
policies, both on remises and in the cloud.  password policies. Reduce user frustration by helping
users choose compliant new passwords.

Netwrix
Password Policy
Enforcer ▪ Use out-of-the-box policy templates based on CIS,
HIPAA, NERC CIP, NIST and PCI DSS.

Request Free Trial

16
 Contents SysAdmin Magazine April 2023

[On-Demand Webinar]

Why Weak Passwords Join Brian Johnson (CISSP, OSCP and president of 7 Minute Security) to find out how weak the
passwords are in your organization, and what you can do to strengthen this part of your security

Pose a Serious Threat strategy:

— and How to Reduce

During this session, you'll learn:

▪ How you can manually audit your environment for weak and common passwords

Your Risk ▪ Where to download lists of weak and common passwords

▪ “Hidden” places on the network (like AD, Group Policy objects and file shares) where
passwords often live unbeknownst to sysadmins — but not hackers!
Brian Johnson
Security enthusiast/Podcaster ▪ How you can enforce granular password policies to reduce your risk from password attacks

Martin Cannard
VP of Product Strategy
Watch Now

17
 About Netwrix
What did you think
Netwrix is a software company that enables information security and governance professionals to reclaim control over
of this issue? sensitive, regulated and business-critical data, regardless of where it resides.

Over 11500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW