Microsoft Password Policy: 3 Crippling Drawbacks
Password Policy ensures that a user password is strong and is changed in a periodic manner so that it becomes highly impossible for an attacker to crack the password. If you are in the process of implementing a password policy, or are looking for a way to ensure that your user accounts and critical data are as secure as possible, you need to be aware of the following common password policy pitfalls.
Short Password Expiry Cycles
In order to keep systems secure, many companies force their users to change their passwords on a regular basis – usually every 90 days. While this is a good idea, some take it a bit too far, for example forcing employees to change passwords biweekly.
This may seem like a good idea, but all it does is encourage users to pick easy to remember passwords. And, any password that is easy to remember is likely easy to guess.
No account lock-out rule
While password complexity is a common focus of password policies, that’s probably not the most effective to prevent brute force attacks. Some experts say that it’s more important to require accounts to lock after a certain number of failed log-in attempts.
It’s important to find the right balance among a few different factors, including the sensitivity of the account, how likely authorized users are to enter the wrong password, and how much of hassle it is to fix the situation when users get locked out.
Dated password complexity requirements
Companies often mandate complex passwords and enforce requirements when they can. The problem is, it’s usually easy to meet requirements with a password that isn’t complex at all. For example, if a password must use a capital letter and a number, many users would pick “Password1.”
And as hackers get better at cracking passwords, what was once critical for password security is becoming less important. Many password policies require the use of punctuation marks and other special characters, and IT often recommends users take words and phrases and replace some letters with those symbols. However, hackers are catching on to those tactics and they can now be accounted for in password-cracking algorithms.