In these modern times when cyber warfare appears to be the order of the day, it is very important to control your organization’s passwords to protect classified data. In that regard as a Cyber Security specialist, laying down a password management strategy comes second as one of the most crucial measures to take to protect your organization from breaches.
Microsoft 365 is equipped with an effective integrated tools that provides ways to create, manage and enforce password policies and features that are up to date with the current security trends. In this blog, we will outline the steps to take while setting up strong password management practices using Microsoft 365 for your organization.
Why Strong Password Management is Critical
Passwords are amongst the most common measures taken to protect any given account, and account takeover occurs more often due to weak passwords or reuse of the same password for multiple accounts. From the Verizon report, it was stated that over 80% of breaches related to hacking were associated with password compromises. This helps to emphasize the need for password policies within organizations as a way of dealing with the probability of brute-force attacks, phishing, and credential theft.
Microsoft 365 through Azure Active Directory (Azure AD) allows organizations to manage password complexity, MFA and self-service password reset (SSPR) thereby enforcing stronger security measures to prevent account takeover.
Creating Enforceable Password Policies with Microsoft 365
No matter what, users must create strong passwords which should not be easy to guess, have a regular changing frequency and can not be reused. In Microsoft 365, you can enforce the following:
- Password Complexity Requirements: The use of Passwords is required to contain Upper case letters, Lower case letters, Numbers and Special characters.
- Password Length: It is good to set a minimum password length (12 characters is recommended – or an equivalent) in order to make it difficult for an attacker to guess or brute passwords.
- Password Expiration: To ensure passwords stay fresh, there is a little known 90 days password rotation policy that exists.
- Password History: Block users from reusing the last 5 passwords used to avoid old and already compromised passwords from being reused.
The above settings can be configured in Microsoft 365 without any problems. Go to the Azure AD Admin Center, look for Password Protection and change it to match the needs of your company.
Provision for MFA
As proven by time and experience, passwords alone are not sufficient for protecting against advances in cyber threats. Multi Factor Authentication (MFA) is designed to eliminate this lacuna in the safeguarding of the account by offering extra protection options which need validation by users like executing a phone app, sending a token via SMS or using a hardware token.
- You can enable MFA for all users using Microsoft 365 without any hassles:
- Azure AD Admin Center > Security > Multi-Factor Authentications.
- Set MFA policies and select all users for whom MFA should be applied especially the administrative accounts.
MFA provides an additional protection such that for any password hack, an attacker still cannot log in to the account unless the impersonation is also taken into account that is the second step minimum verification.
Allowing Users to Change Their Passwords Without IT Support – Self Service Password Reset (SSPR)
Resetting password is a frequently asked problem and solutions offered for free by IT helpdesk departments in any of the Organizations. Self-Service Password Reset (SSPR) feature enabled in Microsoft 365 allows users to reset their password on their own without creating additional trouble for the IT team.
This is how this feature can be enabled:
In Azure AD, go to Users > Password Reset and turn the feature on.
Set up the ways, phone number or email, which will be needed for verification when a user requests a password change.
Copy
Pseudonym SSPR eases the end users’ experience and at the same time highlights security measures as all password changes are done in a way where password is not changed in an arbitrary or uncontrolled interaction.
Monitoring Password Activity and Security Alerts.
Altering someone’s password should also come with monitoring other activities of the user such as login history, failed login attempts and password change requests. In this regard, the Microsoft 365 comprises Azure AD Sign-In Logs, which detail all login attempts pertaining users within an organization, password resets, and even MFA challenges that were issued.
Also, alerts can be used with sign-ins from suspicious locations so as to establish when unauthorized personnel is making attempts to change critical login credentials. Azure AD may also be set to utilize the Identity Protection feature for sign-in events to determine the risk level of the user and implement active verification for risky accounts.
Passwordless authentication (optional).
Organizations seeking to completely eradicate the need for passwords in log-in, Microsoft 365 has Multiple Passwordless Authentication options. The login can be done using:
Microsoft Authenticator – it is a mobile app bearing all security features that allow for login without a password. FIDO2 Security Keys: This is hardware-based but reapes the benefit of passwordless login. Windows Hello for Business. Biometric authentication or PIN assignment is integrated into windows enabled devices.
The passwordless methods are not only secure but eliminate phishing scams and the practice of reusing passwords across some sites.
