Why length-based password aging is your new best friend

Sponsored by Specops Software

All of the high-profile ransomware attacks and data breaches that have occurred over the last several years have conclusively demonstrated the need for strong cybersecurity. Although end-users generally accept the idea that credible threats to cybersecurity exist, those very same users often resist the cybersecurity rules that their employers put into place.

There are a number of reasons why users so often dislike cybersecurity rules. Some users, for example, see such rules as being little more than bureaucratic nonsense. More often, however, users oppose cybersecurity rules because those rules make it more difficult for users to do their jobs. This can be especially true when it comes to passwords. Rules requiring users to use long and complex passwords and change those passwords frequently can make it tough for a user to remember their current password. This may lead a user to circumvent the organization’s password policy by simply writing their password down or using their work password for accounts on any number of websites in an effort to reduce the number of passwords that they have to remember.


The ‘shame’ of password resets

Even if a user does not actively attempt to circumvent an organization’s password policy, they may find that they have trouble remembering their latest password, thus prompting frequent password resets. The shame associated with having to contact the helpdesk “yet again” for another password reset may drive the user to use less secure, more memorable passwords.

All of these factors put enterprise IT in a difficult position. On the one hand, an organization cannot afford to adopt a lax password policy. The stakes are simply too high. A data breach stemming from a weak password policy would likely do irreparable harm to the organization’s reputation and financial wellbeing. Additionally, an organization may be subject to a regulatory compliance mandate that gives the IT staff almost no ability to make the organization’s password policy less burdensome for end users.

At the same time, however, an overzealous password policy will inevitably drive users to engage in risky behavior, thus completely undermining the policy’s effectiveness.

Conventional wisdom has long held that if an organization’s password policy is to be effective, then the organization’s IT department must strike just the right balance between keeping the organization secure and keeping users happy. However, this is not the only option. What if there was a way to reward your end-users for using strong passwords?

Historically, organizations have relied on static password policies in which the same password requirements apply to everyone in the organization. It doesn’t have to be this way, however. In a Windows environment, password policies are implemented through Group Policy objects. Group policies are hierarchical in nature, and policy settings can be applied at various levels of the hierarchy. Because of this, some organizations keep privileged accounts in a different Organizational Unit (OU) than basic user accounts. This makes it possible to use different Group Policy objects for privileged and non-privileged users, thus allowing an organization to impose a more stringent password policy on privileged users.

While this technique does work, it is relatively inflexible. Furthermore, assigning different password policies to different users can quickly become cumbersome for the administrative staff as the organization begins to accumulate more and more Group Policy objects.

Specops rewards users for strong passwords

A better option is to use Specops Password Policy to dynamically change a user’s password policy based on the characteristics of the user’s password. This approach can be used to reward users for using strong passwords.

Suppose for a moment that a user is prompted to change their password and that the user’s new password adheres to the minimum required password length. In a situation like that, the organization’s existing password policy would likely need to remain in effect. The user might, for example, be prompted to change their password in 30 days.

With that in mind, imagine that the same user chose to use a really long and complex passphrase instead of using a simple password that barely meets the organization’s minimum requirements. Because the user has chosen to use a highly secure password (or passphrase), there is little reason to force the user to quickly change their password right away. In fact, requiring the user to change their password again in 30 days might even lead the user to pick a less secure password next time.

With Specops Password Policy, admins can reward users for creating lengthy passwords by requiring less frequent password changes. Hence the user who created a super-long and secure passphrase might not have to change their password again for 180 days, whereas a user who adopts a less secure password might be forced to change their password in 30 days. By using this approach, an organization can actually condition its users to adopt better password habits.

Featured image: Shutterstock

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top