Improve Existing Password Security
Passwords continue to be the foundation of the security profile and will be for some time to come. Yet password breaches are becoming more and more common despite layers of firewalls, honey-pots, and detection solutions. Adding complexity to passwords frustrates users, forcing them to choose similar passwords on websites as well as corporate machines and devices.
This means a breach on the web can have immediate and serious consequences for security in the enterprise.
What Are The New Guidelines?
Legacy password rules enforced regular passwords changes, with rules regarding length, password age, and complexity requirements such as mixtures of upper case and lower case characters, use of special characters etc. These restrictions make passwords hard to remember leading to increased help desk calls (up to 40%) and result in loss of productivity.
Fortunately, guidance from NIST means we can replace outdated password guidelines and can look to address this problem with the following recommendations:
- No more enforced composition rules
- No more periodic password expiration
- No more hints
- Minimum length of 8 characters
- No or large maximum length
- Expanded character set, including emoji
- Check against a dictionary of unacceptable and compromised passwords
Without password expiration, short length limits and comprehensive local and online password blacklist checking, users are free to choose longer, more natural passwords composed of multiple words. These passwords are far harder to reverse engineer or brute force.
Users are more inclined to remember a long, natural password that doesn’t expire, and less likely to mistype one without mixed case letters or special characters. That leads to fewer help desk calls, with cost savings and increased productivity.
Users have become frustrated with current complex password requirements. Allowing them to enter a natural, memorable phrase as a password reduces friction when choosing a password, and every time they use the password to log in.
How Our Technology Can Help
Deploy Password Policy Agent onto your existing Active Directory Domain Controller(s) to immediately and seamlessly comply with all of the NIST requirements. There is no need to install extra software on workstations and all password change attempts, both accepted and declined, are logged centrally for auditing and reporting purposes.
Password Policy Agent is configured out-of-box to meet the NIST SP 800-63 guidelines and will ensure that any password change (technically the hash code), as well as common variants determined by our heuristic engine, are anonymously checked against our online database of over 300 million known compromised passwords.