Creating a NIST Password Policy for Active Directory

Creating a NIST Password Policy for Active Directory

NIST recommends rejecting passwords used for online guessing attacks and also eliminating periodic password expiration- unless the password is compromised. While these requirements make sense given current cyber threats, they don’t precisely fit historic password policies. NIST has recommended new password policy guidelines for Active Directory that can help.

So how can you easily implement a modern password policy? And how can organizations make this a beneficial and straightforward effort when using Active Directory?

This article will dig into the new password requirements and describe how they can be applied in a modern NIST password policy.

We’ll also explain how Enzoic for Active Directory was designed for this purpose and can be configured in Active Directory to NIST guidelines with one setting.

Why Did Password Policies Need Such A Dramatic Overhaul?

Password policies needed to change to match the modern threat landscape. For years we required users to mix different character types. We thought this created a “strong” password.

However, what everyone has learned (and seems obvious in hindsight) by looking at actual passwords from data breaches is that people just take familiar words and append symbols and numbers or replace letters to satisfy strong password rules. Those rules didn’t encourage randomness at all.

Research has found a similar situation with password expiration policies. We required users to change their passwords, but this only discouraged them from making an effort to think of a unique password – more simple substitutions. The bad guys quickly learned the patterns.

It turned out that the old password policies made creating and remembering passwords harder for users, but actually easier for hackers.

What Is So Different About Creating A Password Policy Now?

As we discussed, cyber-criminals are using the past data breaches and common variations as a weapon. The solution is understanding the same patterns and using the same tactics to create a defensive tool.

This new approach relies on keeping up-to-date blacklists of compromised passwords and applying patterns from cracking dictionaries. This tactic, however, doesn’t work well for previous password policies and old-school password policy tools.

In the past, a simple software formula could identify a strong password based on the inclusion of the right mix of character types. And it would always be considered strong.

Modern password policies need to be able to compare large lists of bad passwords rapidly. More importantly, they need to be able to handle the fact that the next data breaches could instantly make a previously safe password vulnerable.

These are significant changes for systems administrators and for the tools used for creating password policies.

NIST Guidelines Illustrate A Modern Password Policy

While not every organization must comply with NIST, their guidelines are seen as the foundation for many security frameworks. So, what does a modern password policy look like?

The guidelines are given in NIST SP 800-63B.

NIST is explicit that password policies SHOULD NOT require composition rules (i.e. mixtures of characters), and they SHALL compare to a list that includes passwords from previous breaches.

The NIST FAQ SP 800-63B elaborates by saying it is essential to discourage the use of very common passwords, particularly those that are most likely to be tried in an online password guessing attack.

The corresponding NIST password policy must:

  1. Reject passwords that are less than 8 characters
    This is a straight-forward NIST requirement. It can be easily satisfied with the existing Active Directory password length policy.
  2. Reject chosen passwords if found to be previously compromised
    Data breaches occur every day. Obtaining compromised or exposed passwords is a continuous effort. The model is relatively similar to antivirus threat intelligence, and best left to specialists.
  3. Reject common and likely passwords
    Common passwords and likely passwords are found in cracking dictionaries. These wordlists with common transformations are built by hackers and evolve over time. Incorporating them turns the attackers’ weapon into a defensive tool.
  4. Reject context-specific words in passwords
    Common passwords choices also vary by context and location. Consider the name of your business, application, etc. The password blacklist must be enhanced with a custom dictionary to block context-specific passwords.
  5. Consider common variants using fuzzy matching
    Attackers conduct basic transformations made during password creation. By normalizing the password (i.e. making it case insensitive, removing leetspeak substitutions, etc.) again, turn attack tactics into defensive measures.
  6. Detect and immediately remediate newly vulnerable passwords
    Although more challenging to implement, this is perhaps the most critical requirement. In the current environment, the password that is initially screened and determined to be safe may become vulnerable. Mechanisms are needed to revisit password after initial screening, ideally daily, to detect compromise and automate remediation – including resetting a secure password.

These requirements reflect the current industry best practices for hardening the password layer. NIST makes it clear that a proper authentication strategy involves more than one layer and that the requirements above should be met whenever the password layer is included.

Using Enzoic for Active Directory for NIST Password Policy

Many old-school password security tools provide limited implementation options for the NIST password requirements. They often bolt-on static blacklists that are infrequently updated. They have limited options beyond complex algorithms rules and typically have somewhat complicated configuration steps that are not relevant to modern password policies.

By contrast, Enzoic for Active Directory provides a clean user interface. For organizations looking to satisfy the NIST requirements above, a single checkbox can apply all of the password policy options above. Once enabled, a dashboard component can highlight if settings are changed. Learn more about One-Click NIST Password Standard Compliance.

Enzoic for Active Directory was specifically designed for modern password policy requirements. It works together with Enzoic’s proprietary threat research services. The blacklist database that powers Enzoic for Active Directory is updated every day with the latest breach data and passwords are rescanned every 24 hours. When users’ passwords are found to be vulnerable, the remediation steps are fully automated.

The Benefits of Creating a NIST Password Policy

Many security initiatives add additional burden to the organization. However, adopting a NIST password policy actually does the opposite. It improves user experience by eliminating password complexity rules and reducing frequent password resets. It lowers administrative costs with fewer password resets calls and automated remediation. And it improves security by following modern industry recommendations for passwords.