This website uses cookies to ensure you get the best experience on our website. Learn more
Five strategy recommendations for planning a password policy
An Active Directory full of strong, non-compromised passwords should be an essential cybersecurity goal for every organization. A clearly articulated and enforceable password policy strategy is the best way to put this into practice. However, it’s important to tailor your password to align with your organization’s broader mission, objectives, and the principles of managing information risks and conducting business within your sector.
Each business is different, yet the common, fundamental aim for any password policy is clear: ensuring the security of your Active Directory against weak, exposed, or compromised passwords. Beyond this, the criteria for what constitutes a ‘good’ policy may vary from one organization to another. To refine your policy so that it meets your specific organizational requirements, some strategic thinking is required before rolling out a new password policy.
These five strategy recommendations come from our recent report: ‘How to deploy a password policy in Active Directory: End-to-end guide’. As well as planning tips, you’ll get a walkthrough on how to set up key components of the policy within Active Directory, advice for a smooth deployment, and guidance on end user communication. Download the full report here.
1. Consider any existing commitments around passwords
There might be some existing commitments you need to account for. For example, consider what’s outlined in existing customer and business partner agreements. It’s also crucial to evaluate your internal standards that dictate what constitutes a reasonable password. Ensure that the language regarding policies in your employee handbook or other corporate documents is consistent with your newly established password policy.
Making these kind of assessments will probably lead you to adjust and refine your planned password policy. This helps to make sure your policy aligns with your organization’s specific needs, rather than adhering strictly to preset password recommendations, such as those from Microsoft’s GPO-based or fine-grained password policies, or guidelines like the NIST Digital Identity Guidelines.
2. Align with regulatory requirements
The geographical location of your organization and the sector in which it operates can significantly influence the specific regulatory requirements you must adhere to concerning password management. Different regions and industries often have varied standards and regulations that dictate how passwords should be handled to ensure data security and privacy. If you are uncertain about the compliance requirements relevant to your organization, it’s crucial to gain a clear understanding of these password-related regulations right from the beginning.
This proactive approach not only helps in aligning with legal obligations but also in fortifying your cybersecurity measures effectively. Understanding these nuances will enable you to develop a password policy that not only meets legal criteria but also enhances your overall security posture.
While not everything is covered here, there are some compliance resources below that may help:
Global
North America
Europe
- GDPR and access controls (remember, GDPR still applies if you’re based outside Europe and are working with European organizations)
3. Don’t skip documentation
Security policies serve to establish clear expectations. Ideally, your policy should exist as a distinct document, rather than being merged into a broader IT security or acceptable use policy. It should articulate, in straightforward language whenever possible, its purpose and scope, along with the specific roles and responsibilities involved. The document should also detail technical requirements such as password length, complexity, and other criteria. It is important to specify which systems, applications, users, departments, and devices are covered by the password policy strategy, as well as any exceptions.
Common areas that are often overlooked include the methods for measuring compliance, penalties for policy breaches, and procedures for regular review and assessment. Ensure that all these aspects are addressed and that both your security committee and users agree with and understand the expectations set forth. Have the policy draft reviewed by experts in the relevant subjects, and make necessary updates before seeking approval from executive-level management. Additionally, having the policy reviewed by legal professionals, as well as risk management and human resources, can be very beneficial.
4. Make a plan for enforcement
Avoid the misconception that a documented password policy is automatically effective. Without proper enforcement, such documentation is nothing more than a theoretical guideline. It’s not uncommon for organizations to have a password policy on paper that is starkly different from the actual practices. A policy is only as good as its implementation and enforcement, so it’s crucial to consider how you will operationalize your policy.
Simply having a policy written down means that stakeholders will expect adherence to it. However, if there is a visible disconnect between what the policy states and the actions taken, it will undermine not only the credibility of your password policy but also the integrity of your entire security framework. Effective enforcement and the readiness to address violations are essential. Without these, your policies might backfire, leading to more issues than they resolve.
5. Audit your Active Directory
It’s not advisable to set random password standards without a deep understanding of the specific security risks related to authentication that your organization faces. Begin by gaining a thorough insight into the activities within your Active Directory and pinpointing the actual password-related risks present. Conducting an Active Directory audit is an excellent starting point.
Download a free auditing tool
Specops Password Auditor, for instance, performs a read-only scan of your Active Directory and provides a detailed, customizable report highlighting your password-related vulnerabilities. This report can reveal issues such as outdated admin accounts, neglected inactive users, active users with previously breached passwords, and much more. You can download this free auditing tool to start assessing your system’s security posture: Download Specops Password Auditor for free.
Found the recommendations in this blog helpful? Read the full report ‘How to deploy a password policy in Active Directory: End-to-end guide’ here.
(Last updated on November 8, 2024)
Related Articles
-
Active Directory Account Lockout Policy
We’ve touched on the critical importance of password management, and Account Lockout Policy builds on this further. Most failed login attempts are accidental—a user enters their password incorrectly, which happens from time to time. We’re human. However, user accounts occasionally face unique threats from remote attackers. These include: While lockouts aren’t preferable, crafting pre-configured lockout…
Read More -
“123456” and “password” continue to be the most commonly used passwords, when will people learn?
Teampassword published a list of the top 25 most common passwords of 2016. Your policy may not allow weak passwords such as 123456 or password, but even if the password complexity requirement is enabled in the standard Windows Password Policy, users can still create insecure passwords such as such as Password123, Company2015, January1 and LetMeIn2015….
Read More -
Your password: separating the weak from the strong
You are probably familiar with the basics of password security: Complexity is a necessity; and length equals strength. If you have a social media or email account, chances are your password meets their minimum length and/or complexity requirements. But, with data breaches and security flaws a regular occurrence in our digital lives, doing the bare…
Read More