Password Policy

Best Practices for

Strong Security in AD
A strong password policy is any organization’s first line of defense to secure your important data and systems
against intruders. This document details best practices and other recommendations for strong password
security.

Setting password policies in an Active Directory environment

In a Microsoft Active Directory environment, you can use Group Policy to enforce and control password
requirements such as complexity, length and lifetime. The default domain password policy is located in the
following Group Policy object (GPO):

Computer configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies ->
Password Policy

Starting from Windows Server 2008 domain functional level, you can define fine-grained policies for different
organizational units using the Active Directory Administrative Center (DSAC) or PowerShell.

NIST password guidelines

The National Institute of Standards and Technology (NIST) offers Digital Identity Guidelines for a sound password
policy, including the following:

Password complexity best practices

Many organizations require passwords to include a variety of symbols, such as at least one number, both
uppercase and lowercase letters, and one or more special characters. However, such rules make passwords
much harder for users to remember and type, which can lead to poor security practices like writing passwords
down and to increased helpdesk calls for password resets.

Accordingly, NIST no longer recommends stringent password complexity and instead focuses on password
length. Something to keep in mind, however, is that giving users a password manager enables a business to
keep its complexity requirements without hurting security or productivity.

2
Best practices for password length

Password length is one of the most important factors in password strength. Indeed, a long coherent phrase
is actually better than a short password that uses many types of characters, since short passwords can be
guessed or cracked much faster. Additionally, long passphrases are easier to remember than short strings of
gibberish, reducing the risk of users writing them down or suffering account lockouts.

Accordingly, the NIST password length recommendations state that passwords should be at least 64 characters long.

Password expiration best practices

Previous NIST password change policy best practices recommended forcing users to change their passwords every 90
days (180 days for passphrases). However, NIST no longer recommends this policy because requiring users to change
their passwords all the time can lead them to pick weak passwords or write their passwords down, which hurts your
information security posture.

Instead, NIST recommends requiring user to create new passwords only in cases of suspected unauthorized access
or breaches that result in personal credentials being published on the dark web, where they can be used in future
cyberattacks.

Password managers

NIST does not explicitly recommend the use of password managers but acknowledges their benefits. Using a password
manager to create, store and enter credentials makes it easier to enforce strong password management policies, since
people do not need to even know their passwords.

Supplementing passwords with MFA

Implementing multifactor authentication (MFA) improves security by making stolen or cracked passwords far less
useful to adversaries. However, keep in mind that NIST recommends implementing MFA only when the company can
use Google Authenticator or another authentication process that doesn’t involve SMS.

3
Passwords especially susceptible to brute-force attacks
It’s wise to use discourage or prohibit the following passwords:

ƒ Easy-to-guess passwords, especially the string “password”

ƒ A series of numbers or letters in order, like “1234” or “abcd”
ƒ A string of characters in the order in which they appear on the keyboard, like “@#$%^&”
ƒ The same character typed multiple times, like “zzzzzz”
ƒ A user’s given name, the name of a partner or child, or other names
ƒ Other information easily obtained about a user, such as their address, phone number, license plate number,
alma mater or family member’s birth date
ƒ Words that can be found in a dictionary
ƒ Default or suggested passwords, even if they seem strong
ƒ Usernames or host names
ƒ Any of the above followed or preceded by a single digit
ƒ A new password that simply increments a number or character at the beginning or end of the previous
password

Password requirements best practices

Administrators should be sure to:

ƒ Configure a minimum password length.

ƒ Enforce password history policy with at least 10 previous passwords remembered.
ƒ Set a minimum password age of 3 days.
ƒ Require passwords to meet complexity requirements. This setting can be disabled for passphrases, but it
is not recommended.
ƒ Reset local admin passwords every 180 days. This can be done with the free Netwrix Bulk Password Reset
tool.
ƒ Reset service account passwords once a year during maintenance.
ƒ For Domain Admin accounts, use strong passphrases with a minimum of 15 characters.
ƒ Track all password changes using a solution such as Netwrix Auditor for Active Directory.
ƒ Create email notifications for password expiration. This can be done with the free Netwrix Password
Expiration Notifier tool.
ƒ Instead of editing the default settings in domain policy, create granular password policies and link them to
specific organizational units.

4
Additional password and authentication best practices
ƒ Enterprise applications must support authentication of individual user accounts, not groups.
ƒ Enterprise applications must protect stored and transferred passwords with encryption to help keep
hackers from cracking them.
ƒ Users (and applications) must not store passwords in clear text or in any easily reversible form, and must
not transmit passwords in clear text over the network.
ƒ Use MFA judiciously to mitigate the security risks of stolen and mishandled passwords.
ƒ When employees leave the organization, change the passwords for their accounts even if you disable the
accounts.
ƒ Reduce user frustration and helpdesk workload by helping users choose new passwords that meet
requirements, proactively reminding them of impending password expiration, and allowing them to change
their password in a web browser.

User education
In addition, be sure to educate your users about the following:

ƒ It is vital to remember your password without writing it down somewhere, so choose a strong password or
passphrase that you will easily remember. If you use a password management tool, choose a strong master
key and remember it.
ƒ Be aware of how passwords are sent across the internet. URLs (web addresses) that begin with “https://”
rather than “http://” are more likely to be secure for use of your password.
ƒ If you suspect that someone else may know your current password, change it immediately.
ƒ Don’t type your password while anyone is watching.
ƒ Do not use the same password for multiple websites containing sensitive information.

5
How Netwrix can help
Enforce strong password policies

Ensuring that user credentials meet high standards and are managed safely is foundational to enterprise security and
therefore a core requirement of many compliance mandates. Netwrix Password Secure empowers you to securely
manage passwords, replace weak ones with strong alternatives, enforce appropriate password policies for different
teams, manage privileged access and audit password usage. Moreover, it synchronizes passwords across platforms
and devices so users can access them securely from anywhere, even offline, and log in simply by clicking the browser
extension, enabling them to easily comply with strong password policies instead of looking for workarounds. As a
result, you can strengthen security and compliance while enhancing productivity.

In complex environments, it is recommended to enforce granular password policies for both regular and privileged
users so that IT administrators can quickly respond to new requirements and minimize the risks of compromises due
to weak or stolen passwords. Netwrix Password Policy Enforcer empowers admins to easily enforce strong password
policies and significantly reduces the policy management workload on tech staff.

Audit activity related to password policy

Regular auditing of events can help you ensure your password policies are protecting your systems against attacks.
Events related to Windows Server password policy are recorded in the Security Event Log on the default domain
controller. By reviewing these logs, system administrators can determine who made changes to password policy
settings, and when and where (on what domain controller) each change happened. For additional important tips on
auditing password policy GPOs, see the Active Directory Group Policy Auditing Quick Reference Guide.

However, native auditing tools won’t show you the most critical details, such as the name of the Group Policy object
in which password policy was changed and the type of action that was performed. Moreover, it’s nearly impossible to
understand which policies apply to which groups and identify discrepancies. For effective password policy management,
you need software that provides more insight into password policy modifications, such as Netwrix Auditor for Active
Directory.

6
Enforce strong passwords to
thwart brute-force attacks
with Netwrix Password
Policy Enforcer
Minimize the risk of your AD user accounts being
compromised through brute-force attacks

Easily enforce strong passwords with flexible policies

and powerful rules

Adhere to compliance requirements for strong

passwords

Reduce user frustration and helpdesk burden

around password management

Download Free Trial

 About Netwrix
Netwrix makes data security easy thereby simplifying how professionals can control sensitive, regulated and
business-critical data, regardless of where it resides. More than 11,500 organizations worldwide rely on Netwrix
solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits
with less effort and expense, and increase the productivity of IT teams and knowledge workers.

Founded in 2006, Netwrix has earned more than 150 industry awards and been named to both the Inc. 5000
and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.

Next Steps
Netwrix products — Check out the full portfolio of Netwrix products: netwrix.com/products

Live demo — Take a product tour with a Netwrix expert: netwrix.com/livedemo

Request quote — Receive pricing information: netwrix.com/buy

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539 8