3 Tools for Enforcing Password Policies
User passwords are often a weak link in the corporate security chain. How can security pros make users adhere to strong password policies?
Recent corporate security breaches have taught us something important: The average computer user is spectacularly bad at choosing good passwords.
The most popular passwords turn out to be simple, easy-to-remember ones, like "password," "123456," "monkey" and "iloveyou," all of which provide little security. If you can remember your password, then it is probably not secure.
Experts agree secure passwords should be 11 characters or more and made up of random characters drawn from a pool of upper and lower case letters, as well as numbers and special characters like "%" and ">." To understand why, consider this: Here's how long it might take a hacker to guess a password, using a computer that can make one hundred billion guesses per second:
- A password made up of six random lower case letters: a fraction of a second
- A password made up of 11 random lower case letters: 11 hours
- A password made up of 11 random lower and upper case letters: two-and-a-half years
- A password made up of 11 random lower and upper case letters, numbers and special characters: 500 years
So how do you ensure that your users choose secure passwords? While user education is helpful, corporate security is too important to rely on that alone. In a tradeoff between security vs. convenience, many users will choose a short, easy-to-remember password like 123456 even if they know that it is insecure.
Password Policy Tools
When it comes to Widows and Active Directory, Windows gives administrators the power to impose certain password policies on users when they choose a password. The policies are fairly basic, however. You can specify a minimum length, expiration period and limits on using previous passwords, but not much else.
These sorts of password policy enforcement tools can allow administrators to impose rules such as:
- Complexity. Requires passwords to contain characters from a variety of character sets (such as digits, upper case characters and so on). The required number and selection of character sets are usually configurable.
- Contained in a dictionary. Passwords must not be vulnerable to attack with a dictionary or hybrid cracking algorithm. The tools should be sophisticated enough to detect partial matches, character substitution and character reversal.
- Keyboard pattern. This prohibits passwords with keyboard patterns such as "qwerty" or "asdfasdf."
- Repeating patterns. This disallows passwords with repeated characters, such as "aaaabbbb" or repeated patterns such as "monkeymonkey."
- Similarity. This detects when a user is choosing passwords with an obvious sequence, like "password1" or "password2" each time the password is changed.
Many of these products also supply an optional client program which runs on users' computers and helps them choose a compliant password by displaying the password policy requirements.
What happens, though, when users log on to cloud-based applications such as Box, Office365 or Salesforce.com? What's to stop a user from choosing an insecure password when they are free of the policy controls that stem from Active Directory?
Cloud-Based Single Sign-On Tools
One solution is to use a cloud-based single sign-on service. What services like OneLogin, Symplified and Okta do is become the authentication provider for a cloud application like Salesforce.com. The cloud single sign-on service then links to Active Directory. From that point on, users can log in to the cloud application using their Active Directory username and password - the security of which is governed by whatever password policies are imposed on Active Directory passwords.
These services also allow companies to subscribe to a cloud service and enable multiple users to access it. This is done by tying each user's Active Directory logon to the corporate username and password for the service. This offers the added benefit of keeping individual users from knowing the underlying username and password. That means they can never divulge it to a third party, and if they leave the company their access to the cloud service is terminated as soon as their Active Directory account is deleted.
Enterprise Password Managers
Since secure passwords are practically impossible to remember, the use of a password manager such as Lastpass Enterprise or Roboform Enterprise can make secure passwords much easier for staff to handle. Essentially a password manager stores passwords and enters them automatically when required. But they will only do so when a master password has been entered by the user to activate the password manager. That means users must only remember one password - their master password - rather than a number of individual passwords.
The master password can be recovered by an administrator in the event that a user forgets it. Additional security can be added by requiring two factor authentication to unlock the password manager, such as a Yubico authenticator or a Toopher location-based authenticator.
Products like Lastpass Enterprise and Roboform Enterprise generate secure passwords for each new service that requires one, and can impose password policies on these passwords (and the master password) either via a system administrator console, or by using Active Directory password policies.
Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.