Password Tips for Businesses

This year Microsoft made a very public statement about how they’re fundamentally changing how passwords will work in Microsoft Windows 10 moving forward. Most significant is that they’re dropping the password expiration recommendation. This brings their recommended policies closer to what NIST also published on this topic. On one hand, these bring a collective sigh of relief from many end-users who are vexed when they see the dreaded “you must change your password in 14 days”…13 days…11 days… This was previously seen as ‘low hanging fruit’ for any IT consultant to come in and perform a security audit, and point out that they don’t force their users to change their passwords.

There are many reasons for the change in direction for both Microsoft and NIST recently. But the biggest reason I propose is that security threats to passwords have fundamentally changed in recent years, compared to the past. There is a good chance your email account is already known by hackers. But moreover, your password is even known by them. As of today over half-a-billion unique passwords have been compromised. And the ability to hack or compromise a password is far easier then it ever has been.

What the biggest things these shifts by Microsoft and NIST demonstrate are that ‘good enough’ approaches to security simply isn’t. Arbitrarity forcing users to change their passwords doesn’t make them more or less secure. And it has been argued that it often makes it less secure as users work harder to find ways to remember their passwords. Is ‘Th0rsHammer2’ any more secure than ‘Th0rsHammer1’? Likely not, but research consistently shows that is exactly what happens. Let’s step back and understand why we even consider changing passwords frequently. The fundamental reason is that the password becomes exposed, known to bad actors. The theory used to be that it was unlikely, but just in case, if we change passwords frequently it will reduce the impact. Nowadays we know better, it isn’t a question of “if” but when. And the follow-up question is, once your password is compromised, how long do the bad-guys need? Even the halflife of the typical 90-day forced password change is 45-days, more than enough to do damage.

The new model focuses on two elements:

  1. End-user education: Which primarily focuses on identifying threat vectors such as phishing attempts. But also in how to choose a good password, and avoid password reuse.
  2. Detection of compromise: This one is more technologically involved, but it basically required advanced threat detection to identify potentially compromised accounts or servers, and then using that to force a password change.

 

Recommended Action Items for SOHO (Small Office, Home Office)

  1. End-user education: Ensure that end-users receive training on how to identify and avoid phishing emails, how to choose a good password, and that business and personal passwords should never be the same.
  2. Ensure that every computer has a password required to log in — no accounts should be password exempt.
  3. Consider using a password manager like LastPass which will help create and manage your passwords. That way you can have unique passwords for every account.
  4. Consider using a Two-Factor Authentication (2FA) system whenever possible such as Microsoft Authenticator.
  5. Use OpenDNS which provides a basic level of threat protection for employee website activity.
  6. Pay attention to data breaches of large companies. Consider forcing password resets when such event occurs because there is a high likelihood your users are sharing the password between such large companies (LinkedIn, Yahoo, etc), and your network.

Recommended Action Items for Small Business (10-50 employees)

  1. End-user education: Ensure that end-users receive training on how to identify and avoid phishing emails, how to choose a good password, and that business and personal passwords should never be the same. Train on using password managers instead of sticky notes or excel files with password plainly documented.
  2. All systems should be domain-joined with password policies in place, ensuring that all accounts have strong and long passwords. Remove your password reset policy.
  3. Audit your existing use of role accounts, automatic login accounts, shared accounts, etc. Whenever possible eliminate such accounts so there is a one-to-one audit trail back to a specific user. When role or shared accounts are needed, they should generally have far fewer rights than normal users, and policies need to be in place to reset this upon any employee change.
  4. Consider using a password manager like LastPass which will help create and manage your passwords. That way you can have unique passwords for every account. Professional versions permit the ability to share passwords when needed.
  5. Consider using a Two-Factor Authentication (2FA) system whenever possible such as Microsoft Azure AD MultiFactor Authentication.
  6. Use OpenDNS which provides a basic level of threat protection for employee website activity.
  7. Pay attention to data breaches of large companies. Consider forcing password resets when such events occurs because there is a high likelihood your users are sharing the password between such large companies (LinkedIn, Yahoo, etc), and your network.

 

Recommended Action Items for Medium Business (51+ employees)

  1. All the items listed for Small Business PLUS:
  2. Ensure all public facing website exposing corporate resources (webmail, website, extranet, client-portals, etc) implement technologies like WAF, Fail2Ban, and more. Those resources should be placed in your DMZ, which is isolated from your local network and use completely different administrative credentials.
  3. Outbound traffic filtering including DLP (Data Loss Prevention), Advanced Threat Protection and Content Filtering.
  4. Consider implementing password auditing tools which compare your network passwords against the known password breaches.

 

The above lists are based purely on the topic of password-related security, and there are many additional security matters in general which need to be professionally assessed by any business.