The National Institute of Scientific Research and the National Institute of Standards and Technology (NIST) regularly publish password security guidelines that we can refer to to improve password security. Some of these standards may differ from what we usually think of as improving password security, such as the NIST guidelines that state that phrase passwords are recommended because they are more secure than complex passwords.
End-user passwords are the weakest part of the overall security protocol, and most users tend to reuse passwords between work and personal accounts.
They may also choose relatively weak passwords that, while meeting the requirements of the company’s password policy, are easily guessed or brute-forced, and the company’s users may inadvertently use password-violating company account passwords.
NIST has a cybersecurity framework that helps organizations address common cybersecurity vulnerabilities in their environments, including weak passwords, reused passwords, and passwords that violate password rules. This article will take a closer look at the NIST password guidelines and learn how to effectively audit password policies to ensure they meet NIST-recommended standards.
NIST Password Guidelines and Best Practices
Specific guidance on passwords is covered in a chapter titled “Stored Secret Verifiers”, and NIST has some recommendations for password management:
1. The length of the password is not less than 8 characters;
2. ASCII characters can be used with spaces;
3. If the service provider randomly chooses the password, the password length must be at least 6 characters;
4. Passwords should be compared to known common passwords, expected passwords, or compromised passwords.
What types of passwords are commonly used, expected, or broken?
1. Passwords that violated password rules in the past;
2. Dictionary words;
3. Consecutive or repeated characters;
4. Contextual words (including usernames, business names, etc.).
NIST also recommends the following other cryptographic security mechanisms, including:
1. The speed limit login attempt failed;
2. Do not force users to change their passwords after any number of days;
3. If there is evidence that the account password has been leaked (that is, the password is leaked), force the password to be changed;
4. Users should be provided with guidance on specific password policy requirements.
Audit Active Directory Password Policy
Today, most enterprise organizations use Microsoft Active Directory as their centralized identity source and access management solution. Many policies use the built-in Active Directory password policy provided by Group Policy, which provides the basic functionality for creating password policies for Active Directory environments as part of the Group Policy Account Policy.
The following is an example of a default domain policy configured with default password policy settings, including:
1. The maximum usage period of the password;
2. The shortest password period;
3. Minimum password length.
Password must meet complexity requirements
Default Domain Policy Password Policy
As you can see in the “Password Policy” property, there is no built-in way to detect broken passwords or upload a password list file for custom dictionary purposes. This policy is not NIST compliant according to NIST recommended password guidelines.
What if you have many different password policies, and possibly many different password settings and configurations? How do you effectively audit Active Directory password policies to see how they meet the recommendations of NIST and other standards?
Use Specops Password Auditor tool to benchmark against NIST standards
What if you had a tool that provided visibility into all Active Directory password policies and how those policies were aligned with leading industry standards? Specops Password Auditor is a powerful tool that not only allows you to quickly view dangerous passwords in your Active Directory environment. It also allows you to quickly audit existing password policies against top cybersecurity standards to ensure compliance with those policies.
As you can see, the Specops Password Auditor tool allows you to quickly view dangerous passwords in your organization’s Active Directory environment. for example:
Password that violates password settings
the same password
Expired administrator account
Password Policy Usage
Password Policy Compliance
Specops Password Auditor
Specops Password Auditor’s Password Policy Compliance report compares settings in existing Active Directory password policies to the following standards:
You can quickly see if your existing password policies meet the requirements of various cybersecurity standards recommendations, which can counteract IT or security administrators when performing audits to align security policies with different cybersecurity frameworks such as NIST huge burden. As you can see, the cloud.local policy is not NIST compliant.
Specops Password Auditor Password Policy Compliance Report
If you click on the “red box” under NIST to view a specific domain password policy, you’ll see why that policy doesn’t meet specific criteria. We see that both the minimum length and dictionary settings fail.
Compare your password policy to NIST standards
Using Specops Password Auditor and Specops Password Policy
With Specops Password Auditor, you can get a good view of Active Directory password policies against industry-standard network security standards. Using Specops Password Policies, you can easily implement more advanced combinations of Active Directory password policies, including custom dictionary files and the ability to view password protection violations.
Maintaining visibility and compliance of your Active Directory environment using recommended cybersecurity best practices, such as NIST, is a great way to enhance the security of your environment. NIST is a well-known industry-standard cybersecurity framework that provides better guidance on cryptographic security.
Most businesses today use Active Directory password policies in their environment. Auditing password policies against NIST standards helps to see all aspects of existing policies that may need to be revisited.
Specops Password Auditor makes the password security auditing process very easy, it automatically extracts all settings of existing password policies in the environment and compares them with industry standard cybersecurity frameworks such as NIST. Specops password policies can easily implement NIST recommendations and others such as custom dictionaries and weaker password protections.