Passphrases: Why Should I Care?

Longer passwords are stronger passwords. It really is just math. The comic below shows the value. Stronger passwords are harder to crack and easier to remember. They increase security while improving end-user productivity and satisfaction.

The following image is from XKCD (http://xkcd.com/936/):

Specops Password Policy and Specops Password Reset
Specops Password Policy (SPP) has been updated to support passphrases. This feature is simple for both the administrator and the end-user. Specops Password Policy continues to leverage great technologies, such as Group Policy and Active Directory, and remains committed to providing best of breed solutions that do not require additional infrastructure components.

Admin Experience
The administrator uses Group Policy to configure SPP. The Group Policy snap-in provides an intuitive and simple experience to author rules that meet your organization’s needs.

When the admin chooses ‘Configure Password Policy’ they are taken through a logical flow to provide the necessary information for the policy.

An administrator can choose to only support traditional passwords, longer and more secure passphrases, or both.

There are settings to be configured that apply to either Password Rules or Passphrases. This information is authored on the ‘General Settings’ tab. There are many useful settings in here. One of which being the ‘Client Message’. This allows the admin to choose how information is presented to the user attempting to change their password. If there are too many rules to comply with the default Windows secure desktop can look a little crowded. Using this capability the admin can provide clear and concise information to help their end-users understand exactly what they need to do.

Password rules are the natural evolution of complexity requirements. Specops Password Policy takes it to a whole new level by providing more control over complexity requirements. How many upper case? How many lowercase? No Unicode? Simple, intuitive, and built to ensure that administrators can address their password needs easily. Some examples of strong passwords (maybe):

• $dTvk@la
• Abcd1234!
• P@ssw0rd!
• S6od@^ln

Some may be very secure, but some may be easily accessible through dictionary attacks. The two simple ones are most likely in password lists  that hackers use when applying dictionary attacks against vulnerable directories.

Passphrases are really about being easy to remember. The math tells us that the longer the password the stronger the password. Remember, a passphrase is just a password. The term is there to differentiate. As far as Active Directory is concerned, there is no difference. Some examples of good passphrases are (depending on rules):

• This is an @mazing pa33word!
• IThinkChopinIsTheBest
• My new password, P@ssw0rd, is very strong!
• Chocolate newt sloth envy picture honeypot?

End User Experience

When the end user changes their password either natively or through Specops Password Reset, the experience is intuitive. If an administrator chooses to allow traditional passwords and passphrases, the end-user will be presented with a choice. The user can go back and forth between the rules for passwords and the rules for passphrases.

For a Password Reset, the user will be presented with challenge/response questions or sent a code to a registered mobile device.

The next step is to create a new password. The user can move between the rules for passwords and the rules for passphrases. Once the user complies with either set of rules that password will be accepted.

Specops Password Policy and Specops Password Reset come together to provide an experience where security can be increased while simultaneously improving end-user productivity.