A Better Password Policy in 10 Minutes

We completely understand; you had an audit last year and one of your action plans was to create a more secure password policy because employees were using 1 as their password. Chances are, there are probably numerous words like “summer,” “password,” and “January” being used in passwords. These are obviously not secure passwords and you’re needing a quick and easy fix before the next audit.

Implementing a password filter for Windows Active Directory is a quick and easy solution to satisfy the audit requirement. The nFront Password Filter includes numerous features for enhancing Windows Password Complexity. The specific feature you’ll be looking to implement is dictionary checking, also known as password backlisting. This will prohibit 1 in employee passwords.

Read this article for a detailed guide on how to install the nFront Password Filter software. It is a very straightforward product that is easy to install and maintain.

After the software is installed, you’ll want to begin configuring your password policy. In addition to password blacklisting, we have a few “one-click” password policy options that you may want to review. The two most popular “one-click” password policy options are the Stanford Password Policy and Length-Based Aging. To learn more about these options, please read this article. In summary, the Stanford Password Policy allows end-users to have control over the password complexity requirements based on the length of passwords they select. Length-Based Password Aging allows you to enforce different maximum password ages for different lengths of passwords. Both options reward users for selecting longer passwords. From an IT standpoint, longer length passwords are generally more secure than shorter length passwords. To learn more about password entropy, read this article.

For dictionary checking, we always recommend customizing the word list for your company. For example, you will want to make sure your company name and industry-specific words are included. Our dictionary is very comprehensive with 27,000+ words, however, many company names are not listed. Read this article on how to customize the dictionary file.

After the software is installed on your domain controller(s), you can easily have a domain-wide password policy configured within approximately 10 minutes if you are selecting a “one-click” password policy and adding your company name and industry-specific words to the dictionary file.

To begin a free trial of the nFront Password Filter software, click here.

nFront Password Filter versus Fine-Grained Password Policies

With fine-grained password policies (FGPP), IT Administrators can create multiple different password policies within a single domain. The two enhancements that fine-grained password policies can provide are different password policies and account lockout policies for different sets of users in one Active Directory. For example, a more strict password policy can be created for privileged accounts, a less strict password policy can be created for non-privileged accounts, and a final policy for service accounts with passwords that do not expire. Fine-grained policies can be applied at the global security group and user object level. Fine-grained policies are unable to be applied to the organizational unit directly. By default, only Domain Administrators can create fine-grained password policies. However, there is an option to delegate this task to others. A minimum operating system of Windows Server 2008 is required to use fine-grained password policies. In Windows Server 2012, an easier management system with the graphical user interface was created for fine-grained password policies. Lastly, fine-grained password policies do not interfere with a custom password filter.

Similar to Windows fine-grained password policies are the nFront Password Filter. The nFront Password Filter takes fine-grained password policies one step further. What separates the nFront Password Filter and fine-grained password policies is the ability to have more customizable options within each password policy. The nFront Password Filter can enforce a longer password minimum length, stop dictionary passwords, requite passphrases, stop repetitive sequences, and many more features! This can all be completed while having a better password change experience with the nFront Client. Notoriously, IT Administrators are wanting to enforce longer length passwords; however, they are unable to complete this task with the settings included with Windows password complexity. A supplemental software tool, like the nFront Password Filter, can enforce the longer password length that they are in desperate need of.

There are two different versions of the nFront Password Filter – Single Policy Edition (SPE) and Multiple Policy Edition (MPE). The SPE version gives you a single, granular password policy for all domain users. The MPE version gives you up to ten different password policies with each policy linked to one or more security groups or OUs. The MPE version closely mimics the concept of fine-grained password policies with the ability to have multiple password policies targeting different users in the organization.

Overall, fine-grained password policies are a great technique to segment the organization with different password policies based on certain parameters. However, this alone is not enough for a secure password policy within an organization. Going one step further with a Windows password filter, like the nFront Password Filter, will be what you need for a secure password policy.

5 Minute Guide: Passphrases

Many clients have asked about password best practices and the concept of passphrases. Passphrases are a secure solution to the everyday password problem. End-users are upset that they have to create a longer, more secure password that can be difficult to remember when faced with the two requirements of using all 4 character sets and a minimum of 15 characters. Well, with passphrases, end-users can create a longer password with common words that are easier to remember.

Using ‘dsquery’ to Identify Accounts Expiring Within a Specified Time

The dsquery command is useful for obtaining information about objects located within an Active Directory environment. With the ability to implement a wide range of filters, this command is beneficial for obtaining specific information. One use case for this tool is to obtain a list of users within a certain OU who have not changed their password within a specified number of days. Using the parameter ‘-stalepwd’, we are able to determine which user accounts have not changed their password in a certain amount of time. Using the known variable of how many days a user has before expiration, we can calculate which users will have to change their password within a specified time frame.

(Allowed expiration time) – (Specified expiration time) = Password age used to search

In this scenario, the environment requires a password change every 45 days. In order to see who will need to change their password in the next ten days, the query should be written to look for accounts who have not changed their password in 35 days.

(45 day expiration policy) – (10 days remaining in results) = Variable of ‘35’ used in the query

To determine the proper syntax for the OU being checked, we can use Active Directory Users and Computers to obtain the distinguished name. Right click the OU, open the properties, select ‘Attribute Editor’, and locate the distinguishedName:

With the distinguished name and ‘stalepwd’ variable now known, we can form our syntax:

‘dsquery user OU=Finance,DC=xyz,DC=local -o rdn -stalepwd 35’

This command will output a list of relative distinguished names in the OU Finance that have not changed their password in the past 35 days:

We now know that Bruce and George have not changed their password in the past 35 days and that, if a new policy were put in place that requires a password change every 35 days or less, they would be immediately required to change their password. In this example, the results tell us that Bruce and George have not changed their password in 35 days or longer. This means that both Bruce and George have 10 days or less before they will need to change their password.

This syntax is primarily useful during policy development periods with customers who are creating their customized password policies and expiration lengths within the nFront Password Filter and Expiration Service. The expiration service is capable of notifying users with intermittent warnings as they approach their expiration. Using dsquery could help those writing the new customized password policies have an understanding of how many users will be impacted by a policy change based on password age prior to implementing it.

Password Policy Strengthening Options

Humans are very predictable and unless we are the victim of a substantial data breach, we will probably assume our company’s network is safe and we are doing a decent job protecting it. Companies may slide by for years and not be on a hacker’s radar; but truth be told, if you are not taking precautions to secure your company’s network, you should be counting down the days until your network is hacked. There are numerous ways a company can be hacked, here are a few explained here.

Commonly, companies realize that they have weak passwords due to a data breach or results of an IT audit. As we all know, everyone has their own priorities of what he or she thinks is the “right” way to approach an objective. The IT Administrator or Network Manager will have their own ideas of what is the best way to protect the company’s network and the CIO or CISO might have a different idea. Here are a few common ideas that your management will think are appropriate solutions to preventing data breaches due to weak passwords:

• Purchasing a Password Vault Software

• Educating/Training Employees on Password Security

• Using USB Drives for Multifactor Authentication

• Purchasing a Password Filter for Windows AD

All of the above listed options seem like plausible solutions. However, from an IT security standpoint, let me shine some light on each idea that can help you while speaking with your management team on which option will solve your problem of weak, easily hacked passwords.

• A password vault is a great idea and concept. It stores all of your passwords under one single login and all you have to do is remember the one passwords that “unlocks the vault.” However, if there is no password policy enforced when creating the master password, then you just made the hacker’s job easier for them by only having to crack one password.

• Educating and training company employees through seminars is a great way to inform employees of the dangers that are associated with using bad passwords. However, all the seminar actually did for the employees was give them a day off of work. There is nothing in place to make sure that they are not using passwords that are easily hacked. Read this study that shows how password education training has no impact on a user’s password choice.

• Using USB drives and enterprise cards as passwords are a unique idea. The user must have the additional piece of technology to access their computer. However, do you know how easy it is to lose a USB drive? According to ComputerWorld.com, in one year alone, 25,000 USB drives were left in UK and NYC taxis. Help desk calls will be on the rise with an overwhelming amount of employees losing their additional piece of technology.

• Purchasing a Windows Password Filter is the most effective way to increase network security. The nFront Password Filter is a guaranteed method to make sure the written password policy you created is actually enforced. Included in the password filter is a dictionary check feature that will check each password created against a file with common, easily hacked passwords. This is fully customizable for your company. A few words included are Password, Summer, and Soccer. None of the previous options can do this.

With the insight I provided, there should be enough educational information to make an informed decision to protect your network.

Yubico’s New USB Security Key Review

Recently, Yubico released a new security key to create a passwordless login for Windows 10. The YubiKey USB key is currently only available for Windows Technology Adoption Program users. Seems like a great idea, right? Wrong.

A passwordless login with a USB key sounds like an easy, secure way to eliminate the use of passwords. Many companies feel that creating passwords are a daunting task for end-users. Especially when we suggest the use of creating a password greater than 14 characters to avoid the threat of rainbow tables. Read more information here about rainbow tables and the strategy behind passwords greater than 14 characters. When a potential user of the nFront Password Filter calls to inquire about the software, many times they are frustrated with employees who are creating commonly used passwords that are resulting in them either being hacked or failing a security audit. Commonly used passwords that are easily hacked are “Password123” and “Summer2018.” Neither of these passwords are secure, yet they are currently being allowed by Windows.

With the frustration that occurs by end-users not creating strong passwords, would requiring end-users to keep up with an additional piece of equipment (YuniKey USB drive) seem like a plausible solution? Having end-users keep up with an additional USB key would be a larger concern from my point of view as opposed to enforcing a stronger password policy.

Here are a few online statistics on the loss of USB drives for a one-year duration:

4,500 USB drives were left in UK dry cleaners
17,000 USB drives left in UK laundry mats
25,000 USB drives left in UK and NYC taxis

Furthermore, during a 2 year duration, one US airport reported over 1,400 badges that were either lost or stolen. If we’re looking at the concept of an employee not being able to create a password that isn’t “Password123” and “Summer2018,” are you sure that they will be able to keep up with a USB drive?

Also, another downfall to USB drive authentication is with the advancement of technology, not all computers and devices have USB slots.

Passwords have been around for longer than any of us have been alive, yet many people want to find a loophole around not having to use a password. Whether it is an external USB/smartcard login or biometrics, these can both be easily hacked. Read more about biometrics here. The key to a secure network are secure passwords. Secure passwords require one key concept – entropy. Longer passwords of 15 characters, even with just basic alphanumeric cases, is more secure than a shorter password with all four character types.

Bottom Line: Passwords aren’t going away anytime soon. Therefore, companies that are looking for shortcuts with passwords will most likely end up disappointed when their new approach does not work.

Stanford Password Policy Explained

Back in April 2014, Stanford University created a password policy which let end-users determine the level of complexity for their own password. Shorter passwords will result in an end-user using more character types and longer passwords will result in an end-user using fewer character types.

Here is the breakdown of the Stanford Password Policy:

8-11 character passwords require the use of upper case, lower case, numeric, and special characters

12-15 character passwords require the use of upper case, lower case, and numeric characters

16-19 character passwords require upper and lower case characters

20+ characters require lower case characters

Stanford University reports that passwords over 20 characters are the gold standard and offer the most protection for your account. Longer passwords are more secure and take a longer amount of time for hackers to obtain your password. Due to brute force attacks and rainbow tables, passwords need to be a minimum of 15 characters in length. For more information about how passwords get hacked, read more here.

Furthermore, being that passwords greater than 15 characters do not require numeric or special characters, passwords that are compliant with the Stanford Password Policy are easily entered into mobile devices. There is no need to switch to different keyboards on a mobile device to enter in numeric or special characters.

Stanford University also recommends an easy way to create a password. You will need to think of four common words and place them together (paper watermelon purse bike). These four words put together with spaces is 27 characters and without spaces is 24 characters. At nFront Security, we recommend that our customers use dictionary checking for their password policy. Most hacked passwords include a common dictionary word. However, we also offer a feature with the nFront Password Filter to disable dictionary checking for passwords longer than a designated character length. From research, it is safe to disable dictionary checking for passwords that are longer than the targeted length in brute force and rainbow table hacking attempts. We recommend disabling this for passwords 15 characters or longer to promote the use of passphrases.

Using the nFront Password Filter, there is a single checkbox option for enforcing the Stanford Password Policy. All you will need to do is select the box that reads “Enforce Stanford Password Policy” and the policy will be effective for your entire Active Directory.

Using the Stanford Password Policy is a secure and easy way to ensure that your network is protected and end-users are creating smart password choices. Implement today with one easy step!

How Does the nFront Password Filter Client Work?

A common question from prospective customers who are interested in the nFront Password Filter is that they want to see how the Client works. The nFront Client provides a user-friendly interface for end-users when they need to change their password. When the nFront Client appears, the end-user’s password policy will display on the screen with a custom strength meter. What is the most exciting part of the nFront Client is the detailed feedback an end-user receives when changing their password. For example, if the word “Soccer” is in the company’s dictionary file for password blacklisting and the end-user enters “Soccer123” as their new password, the nFront Client will display a message that states the password failed due to the dictionary word “Soccer.” Furthermore, if the end-user creates a password and it does not include a special character and a special character is required, the nFront Client will display a detailed message letting the end-user know that a special character is required for their password. All of this can be seen in the below GIF of the nFront Client:

One of the most important reasons why a company would want the nFront Client is to eliminate end-user pushback against a more secure password policy. If an end-user has been getting by for years with Windows Password Complexity password requirements, they are accustomed to creating “Password123” and “ILoveFootball!” as passwords. However, those passwords will no longer be in compliance with the more secure password policy. To eliminate help desk calls and more work for the IT Department, the nFront Client solves it all! The end-user will know exactly what their password policy is and why their selected password does not meet requirements if they do not select a password in compliance with your company’s policy.

Are you wanting to see this work LIVE on your company’s network? Give the nFront Password Filter a try with a free 30 day trial of the software!

For any further questions about the software, please visit our website or contact our Sales Department.

How To Smoothly Implement A Strong Password Policy

Changing your company’s password policy can create a high level of apprehension for the IT department as well as management, especially when the password policy will become more restrictive for end-users. Your company’s management team will have the primary concern of how to deploy a new software tool effectively to the entire network. While your IT helpdesk will have a primary concern of how to implement a new tool without upsetting the end-users and causing extra work for their department. Upset end-users will create a higher volume of helpdesk calls, resorting to more work for the IT helpdesk. At nFront Security, we’re here to let you know there are ways to mitigate the level of apprehension with an effective deployment plan. If your company plans appropriately, the transition from Windows Password Complexity to a Windows Password Filter, like the nFront Password Filter, will be seamless and stress-free.

First, let’s discuss the reasons why it is important to transition from Windows Password Complexity to a Windows Password Filter.

1. Blacklist Commnly Used Passowrds – Microsoft Password Compleixity allows for commonly used words like PasswordSummer, and Football in passwords. These are very weak words that will resort in passwords being breached. These commonly used words, along with your company name need to be prohbilited from end-user passwords.

2. Meeting Compliance Standards – Microsoft Password Complexity does not have many of the requirements that are needed for compliance audits. The nFront Password Filter has one click compliance settings for certain compliance audits.

To smoothly implement a better password policy without upsetting end-users and causing unneeded stress for your IT department, here are two easy steps:

1. You will need to segment your end-users in groups and/or OUs. It is likely that you already have groups setup for file and print sharing. I would recommend segmenting based on their security level and type of account. For example, I would recommend, at a minimum, having three different OUs: privileged accounts, non-privileged accounts, and service accounts. Your privileged accounts OU will mainly consist of your IT Department who has access to your company’s network. The non-privileged accounts OU will be all other employees who do not have access to the company’s network and secure information. This OU can be split further for larger companies and is explained more in note below. Lastly, the service accounts OU is self-explanatory. All service accounts in your Active Directory should be included in this OU.

Note: If you are wanting to further segment your company’s non-privileged accounts OU, I would recommend segmenting by department. For example, you can place the Human Resources department in one OU and your Accounting department in another OU. This strategy will help deploying the nFront Password Filter more slowly and smoothly across different departments.

2. Once all groups and/or OUs have been defined, you can now begin planning for the staged deployment plan. You will want to determine which OUs will be affected by the new password policy on which date. For example, on the first week of the deployment, you will need to determine which groups and/or OUs you wish to deploy the new password policy to. Then, you will also need to determine which time interval you feel comfortable with for the next group and/or OU to be affected by the nFront Password Filter.

Here is an example plan for a school district:

August 6, 2018: Deploy the nFront Password Filter to all privileged accounts (IT Department)

August 13, 2018: Deploy the nFront Password Filter to all service accounts

August 20, 2018: Deploy the nFront Password Filter to the County Office OU

August 27, 2018: Deploy the nFront Password Filter to the Local School Administration OU

September 3, 2018: Deploy the nFront Password Filter to the Teachers OU

At this point, you will want to continue with any Groups and/or OUs that the software has not been deployed to.

The purpose of spreading out the deployment of the nFront Password Filter is to ease any stress that the new password policy might have on your company’s help desk. There will not be an overwhelming amount of calls and/or emails if there is any confusion about the new password policy.

For help with a deployment plan or any questions about the nFront Password Filter, please visit our website.

NCSC Password Guidance and Recommendations

The NCSC (National Cyber Security Centre) provided guidance for Systems Administrators to simplify their approach to passwords. This guidance is not mandatory, but rather recommendations to eliminate the risk of breaches due to weak passwords on a company network. Furthermore, NCSC’s guidance is intended to reduce the daunting task of users having to recall complex password requirements. From an initial standpoint, NCSC resembles NIST compliance. NIST compliance’s general concept is to eliminate complex passwords by requiring longer passwords. In other words, they would prefer for users to create a password like I ate watermelon for breakfast than monkey#BUSINESS!57. For more information about NIST, click here.

For background knowledge, NCSC is a part of the GCHQ (Government Communications Headquarters). GCHQ is partners with Secret Intelligence Services (MI6) and MI5. The ultimate goal of both NCSC and GCHQ is to keep people safe.

The NCSC password security guidance begins with how passwords are cracked. According to NCSC, passwords are cracked by: interception, brute force, searching, stealing passwords, manual guessing, shoulder surfing, social engineering, and key logging. Here are descriptions for what each method means:

  • Interception: A hacker can intercept a password as it is being transmitted across a network.
  • Brute Force: A hacker uses a software that will automatically guess millions of passwords until the correct password is found or the list is exhausted.
  • Searching: A hacker can search the IT infrastructure for stored password information.
  • Stealing Passwords: A hacker would use information provided that is insecurely stored. For example, a password might be written on a notecard next to a computer.
  • Manual Guessing: A hacker would guess passwords until the correct password is found. Usually, personal information and commonly hacked passwords are used for the guessing tactics.
  • Shoulder Surfing: A hacker would watch a user as the password is typed into the computer.
  • Social Engineering: A hacker would use tactics to trick a user into revealing their password. An example of this would be a phishing attempt via email.
  • Key Logging: A hacker would install a device which intercepts the password as it is typed into the computer.

Finally, the NCSC provides guidance on how to improve your company’s system security. Here are a few key tips for success:

  • Blacklist commonly used passwords.
  • Monitor failed login attempts and have a procedure in place to report any abnormal activity.
  • Prioritize passwords for administrator and remote user accounts.
  • Never store passwords in plain text format.
  • Change default vendor supplier account passwords before new software is deployed.
  • Use account lockout features to prevent brute force password attacks.

Many of these tips can be easily obtained with internal systems as well as a Windows Password Filter, more specifically the nFront Password Filter.