Built directly into active directory is the ability to modify password policies and password complexity requirements at the Domain, Group and User levels.
By implementing Single Sign-on with ActiveDirectory, an organization can then implement a single strong password policy instead of requiring end users to manage several different policies. That is like standardizing the secret codes for every late-night rendezvous met by candlelight – simplicity is offered and security does not have to be compromised.
Additionally, AD SSO integration creates a simple password reset procedure by necessitating only one password change that affects all synchronized accounts. This set-up improves usability and convenience for end users while also reducing the number of calls made to the helpdesk for password resets or related issues.
Password Polciy Features that may be set in AD x
- Password History
- Password Age
- Password Length
- Password Complexity
Maximum - Minimum
Maximum - Minimum
Character Requirements - Uppercase, Lowercase, Base Digits, Special Characters, Other Unicode Characters.
Password Policy Best Practices xi
Typical password policy best practices are to set “Passwords must meet complexity requirements” in Active Directory, as well as the following:
- Minimum Password Length of 8 Characters
- Use of ALT key characters for Administrators and similar Users/Groups
- Use of at least one (1) special character
- Require the password to be different from the username/display name
- Blacklist dictionary words
Adopting a solution that integrates with Active Directory and provides SSPR and/or SSO is a major boon to the security of any given environment. By relegating all password-related structure and configurationto the main AD password, an organization can strengthen the front door to the network much more than it would be able to strengthen each individual login.xii
Specifically speaking, end users are far more likely recall and adhere to a single set of strong password policy requirements. This condenses security risks inherent with implementing various accounts with additional passwords that lead into various locations within the network. Moreover, Active Directory has native support for solutions to pair KBA and OTP delivery for augmented authentication security.
Proper implementation turns a single point of failure into a strong and heavily fortified single point of access that can be easily monitored and defended in the event of a stolen password or similar.
While we have discussed the uses of Two-factor authentication in Self-service Password Reset, as well as the various methods of delivering an OTP via a second factor, this additional layer of authentication exponentially increases the strength of a login when paired with Single Sign-on.
Most existing Two-factor Authentication token providers have support for ActiveDirectory built in – which makes adding that additional physical factor a much simpler feat to accomplish when Active Directory is the central user repository in a given environment. This makes sense for various situations, including those environments where compliance adherence is a must.