Most IT professionals have experienced it before: the fear of enabling password expiration. Sure, it can be enabled easily enough in group policy if you’re using Microsoft’s Active Directory. But what about all those customer-facing accounts that are stored in some other LDAP or SQL directory? You want to protect them as well, but can password expiration even be enabled in these repositories? The security reasons are clear – passwords that don’t expire could be used by malicious parties for extended periods of time without your company being aware of it. The question of how to manage easy password policy integration causes many IT and security professionals restless nights.
Easy Password Policy Integration
Everyone knows the more often users are forced to change their password, the less likely they are to remember it. This leads to more help desk calls, lost productivity and password fatigue for end-users. Further questions pertain to the frequency with which passwords should expire and what the impact on end-users will be. How will the expiration be clearly communicated to users when accessing corporate systems through both internal and external channels? The task of easily integrating a password expiration policy becomes more complex the further you dive into the requirements.
Bruce Schneier agrees in this blog that there is no need to go overboard on expiration frequency for standard user accounts with low privileges. A 90 or 120 day interval can be just as effective as 30 or 45 days without the associated backlash from end-users. Federating your web portals with authentication products like PortalGuard can allow all types of users to be clearly notified of impending or actual password expiration regardless of access method or the directory type housing the user accounts and passwords.
Self-service password reset can help knock down the most significant barrier to an easy integration of a password expiration policy. Forgotten passwords are an inevitable result of password expiration so giving users the ability to reset their passwords themselves unburdens your help desk from this chore and allows the users to perform it at any time. Technological improvements can allow your employees and customers to reset their forgotten passwords with a one-click mobile app that can also suggest strong, yet easy-to-remember passwords. Being able to enforce enrollment of alternate means of authentication from your customer web portal or corporate Windows or Mac workstations in a centralized, easy-to-use authentication platform can help make your new password expiration policies less daunting for everyone.