My focus today is around passwords and policies for Azure Active Directory (AD) which has so many integrations and connections, so from a business perspective it’s particularly important to secure this password.
Azure AD allows users to authenticate to the Azure portal, Azure workloads, Office 365, as well as other cloud and on-premise solutions. It’s imperative to ensure that this ‘key to the kingdom’ is strong and well protected.
First, training your end users is a must. Strong security begins with well informed and well-trained users. Policy can only take you so far in a world where a well-placed question from an undercover engineer is just as detrimental as a brute force attack. Here are three tips to help keep your users protected:
1. Password length is not the only strengthening factor. Be sure to have users add in alphanumeric characters, capitalization and special characters to decrease the chances of a quick brute force attack. Many users will think this is a bad thing as they must remember all those passwords, but there are easy tricks to supplement letters with other characters to increase the complexity but alleviate the memorizing disadvantage: @ for a, # for an h, or for l can be used to easily replace characters in a password.
Capitalization is another way to fend off an attack by a social engineer, especially if they are trying to obtain information via a phone. Try to place capitals in non-obvious areas rather than the front or end of your password.
Minimize the ability to guess your passwords. Things like favorite sports teams, hometown or pet’s names are commonly used and should be avoided.
2. Passwords do not need to be just one word. In fact, it is recommended to use a complete sentence as a password. This will greatly increase the number of characters in your password while keeping your password, or passphrase, very memorable.
3. Be cautious about answering security questions. These can be helpful in a pinch when you forget your password but think about how easy it would be for another party to answer these questions. Surely your spouse, best friend or sibling could impersonate you and reset your password, but how about a clever social engineer with right set of charisma and leading questions.
This could be one time in life that you can be advised to lie. A commonly overlooked area is that answers to these security questions can be completely made up on your end. Use your brother’s middle name as your mother’s maiden name or first car, use your dream car.
This will help you when confronted with a social engineer. It’s much harder to lie in person or over the phone; if you got caught off guard with a social engineer and you told him your first car was a 1994 sedan, he won’t guess the actual security answer of a 2019 sports car.
Now let me touch upon password policy. While it’s of critical importance to do the work of training your users, policy is still vital to the success of strengthening your password initiative. Common areas are minimum password length (8 – 12 characters), complexity requirements such as special characters, capitals and numbers and banning common passwords.
Keep in mind that if made too complex, this often leads to password normalization like adding 1,2,3 at the end of the same password. The key is to keep your policies reasonable while training your users of the risk of poor passwords.
There are also other ways to protect your system without using complicated passwords like MFA which greatly reduces the chances of hacking without continuously increasing password complexity requirements. Microsoft best policy is to be a guiding factor for your security staff and to frequently check with the sources for updates.
I hope these tips will help you to better increase your password and policy security for your organization. Taking some time to train your users on these tips and create stronger passwords and policies across your platforms will save you the potential of a much bigger security disaster.
If you have questions around this topic or anything Azure related, simply click the link below or contact us. We’re here to show you how to use Azure products and services to help take your business from good to great.