NIST recommends rejecting passwords used for online guessing attacks and also eliminating periodic password expiration- unless the password is compromised. While these requirements make sense given current cyber threats, they don’t precisely fit historic password policies. NIST has recommended new password policy guidelines for Active Directory that can help.
So how can you easily implement a modern password policy? And how can organizations make this a beneficial and straightforward effort when using Active Directory?
This article will dig into the new password requirements and describe how they can be applied in a modern NIST password policy.
We’ll also explain how Enzoic for Active Directory was designed for this purpose and can be configured in Active Directory to NIST guidelines with one setting.
Password policies needed to change to match the modern threat landscape. For years we required users to mix different character types. We thought this created a “strong” password.
However, what everyone has learned (and seems obvious in hindsight) by looking at actual passwords from data breaches is that people just take familiar words and append symbols and numbers or replace letters to satisfy strong password rules. Those rules didn’t encourage randomness at all.
Research has found a similar situation with password expiration policies. We required users to change their passwords, but this only discouraged them from making an effort to think of a unique password – more simple substitutions. The bad guys quickly learned the patterns.
It turned out that the old password policies made creating and remembering passwords harder for users, but actually easier for hackers.
As we discussed, cyber-criminals are using the past data breaches and common variations as a weapon. The solution is understanding the same patterns and using the same tactics to create a defensive tool.
This new approach relies on keeping up-to-date blacklists of compromised passwords and applying patterns from cracking dictionaries. This tactic, however, doesn’t work well for previous password policies and old-school password policy tools.
In the past, a simple software formula could identify a strong password based on the inclusion of the right mix of character types. And it would always be considered strong.
Modern password policies need to be able to compare large lists of bad passwords rapidly. More importantly, they need to be able to handle the fact that the next data breaches could instantly make a previously safe password vulnerable.
These are significant changes for systems administrators and for the tools used for creating password policies.
While not every organization must comply with NIST, their guidelines are seen as the foundation for many security frameworks. So, what does a modern password policy look like?
The guidelines are given in NIST SP 800-63B.
NIST is explicit that password policies SHOULD NOT require composition rules (i.e. mixtures of characters), and they SHALL compare to a list that includes passwords from previous breaches.
The NIST FAQ SP 800-63B elaborates by saying it is essential to discourage the use of very common passwords, particularly those that are most likely to be tried in an online password guessing attack.
The corresponding NIST password policy must:
These requirements reflect the current industry best practices for hardening the password layer. NIST makes it clear that a proper authentication strategy involves more than one layer and that the requirements above should be met whenever the password layer is included.
Many old-school password security tools provide limited implementation options for the NIST password requirements. They often bolt-on static blacklists that are infrequently updated. They have limited options beyond complex algorithms rules and typically have somewhat complicated configuration steps that are not relevant to modern password policies.
By contrast, Enzoic for Active Directory provides a clean user interface. For organizations looking to satisfy the NIST requirements above, a single checkbox can apply all of the password policy options above. Once enabled, a dashboard component can highlight if settings are changed. Learn more about One-Click NIST Password Standard Compliance.
Enzoic for Active Directory was specifically designed for modern password policy requirements. It works together with Enzoic’s proprietary threat research services. The blacklist database that powers Enzoic for Active Directory is updated every day with the latest breach data and passwords are rescanned every 24 hours. When users’ passwords are found to be vulnerable, the remediation steps are fully automated.
Many security initiatives add additional burden to the organization. However, adopting a NIST password policy actually does the opposite. It improves user experience by eliminating password complexity rules and reducing frequent password resets. It lowers administrative costs with fewer password resets calls and automated remediation. And it improves security by following modern industry recommendations for passwords.