I am sure all of you administrators out there take every possible step to protect the integrity of your company and user data by implementing solid security policies and practices.
We live in a world where we hear about a security breach or leak of user credentials on a far too regular basis so there is always room for improvement.
One area that is a constant point of contention is user/system passwords.
While I was browsing my RSS feeds this week I came across a blog post from Microsoft's Active Directory Team that shared some great insights into password best practices. In it they talk about how a couple of Microsoft services, Azure Active Directory and Microsoft Accounts, approach protecting access to those accounts.
However, before they go into those details, they point to a recent whitepaper written by Robyn Hicock, one of their Program Managers, that provides research and suggestions for improving password security. You can download the 19 page (PDF, 1MB) whitepaper from the Microsoft Research website.
A quick snapshot of the advice she gives IT admins includes these suggestions:
- Maintain an 8-character minimum length requirement (and longer is not necessarily better).
- Eliminate character-composition requirements.
- Eliminate mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users not to re-use their password for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk based multi-factor authentication challenges.
Now some of those recommendations really go against the grain of what we have been told for quite a while but once you read the whitepaper I think things will become much clearer.
Her work also includes info for your users to help improve their security posture when it comes to their accounts and hardware.
Be sure to visit and read the entire 117M leaked creds (from LinkedIn?). New best practices + #AzureAD and MSA can help blog post and the whitepaper.
I suspect it will give you and your team a lot to discuss.
Looking for an awesome, no-nonsense technical conference for IT Pros, Devs, and Devops? Check out IT/Dev Connections!