Out with the Old: It’s Time to Abandon Outdated Active Directory Password “Best Practices”

Did you know that ninety-five percent of Fortune 500 companies rely on Microsoft’s Active Directory for user authentication? That’s right, one of the largest enterprise attack surfaces relies on 90s network architecture including on-premises PCs, applications, servers, and tools.

Over the last 20+ years, we’ve learned a lot of security best practices for Active Directory, such as cleaning up stale objects, removing local admin rights from domain users, locking down service accounts, only granting Domain Admin privileges temporarily per task, and my personal favorite – training users to avoid complex passwords.

Yes, you read that correctly! Many years’ worth of accumulated best practices have mostly helped strengthen Active Directory security, but a few long-standing beliefs about enforcing password policies are actually outdated.

The National Institute of Standards and Technology’s most recent password guidelines recommend against using common practices such as specific complexity requirements and regular password rotation. Why? It’s simple. These requirements make passwords hard for users to remember, which means they’re more likely to use simple passwords or reuse the same password everywhere. We’ve convinced users that all it takes to strengthen a password is adding a number and special character, making them more likely to feel confident in choices like P@ssw0rd! (Spoiler alert: criminals know that one already).

Using a password manager can help people take memory out of the equation, allowing users to set long, randomly-generated passwords without slowing down their online lives. Unfortunately, we live in the real world, where password manager adoption remains pretty low, and it’s not realistic for users to commit hundreds of completely random complex passwords to memory. To change people’s behavior, we have to help them learn how to come up with strong passwords that they can remember.

In with the Passphrases!

The complex passwords people typically come up with are certainly better than simple, easily guessed passwords, but not as good as complex, easy to remember passphrases. There are a number of passphrase generators on the internet, but the basic idea is to pick three seemingly unrelated words, add them together and insert numbers or special characters in between like this:
  • Friday2Cube!movie
  • Death*Jyn.Stardust
  • Matrix6theone/Final

Each of these passphrases is complex and easier to remember than a randomly generated complex password, which is important for usability. Totally random complex passwords are secure, but without a password manager to store them, users are prone to writing them down and leaving them on display on their office desks, or storing them in a digital format somewhere that could be accessed by criminals.

Encouraging users to choose passphrases can help with password security, but it can only go so far. Inevitably, some users will choose easily guessable passwords or just recycle one of their favorites. When it comes to Active Directory security, one of the best things you can do to prevent account takeovers is implement a strong password policy AND stay ahead of criminals with an early breach notification system.

Early breach notification systems alert you when your employees are using compromised password credentials. SpyCloud Active Directory Guardian enables you to screen your AD accounts for any password that has ever appeared in SpyCloud’s breach database of billions of exposed passwords, and detect when employees select passwords that criminals are actively using in credential stuffing and password spraying attacks. You can not only check for AD user credentials that exactly match credentials that have been exposed in a data breach before, but also fuzzy variations of those matches, alignment with NIST password guidelines, and more. The best part is you can remediate breached credentials with zero administrative effort.

Check your own personal account takeover exposure and contact us for a demo of SpyCloud Active Directory Guardian.

Stop exposures from becoming account breaches.