Your SlideShare is downloading. ×
The Windows Password Policy is Not Enough
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

The Windows Password Policy is Not Enough

730
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
730
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. The Windows Password Policy Is Not Enough
  • 2. Roadmap  Windows Password Policy Tour  The problems  The user experience  The nFront Password Filter solution
  • 3. Windows Password Policy Tour  Let’s tour the options available with the Windows Password Policy.  Keep in mind the one policy applies to all users and multiple policies are not possible** **If all DCs are 2008 or 2012 you can do fine grained policies. The rules are the same (not granular) but you can apply different rules to different OUs.
  • 4. Windows Tour – Min Length  Require a minimum length.  Longer passwords are more difficult to hack.  Ideally 15 characters or more is best due to Rainbow Tables.
  • 5. Windows Tour – Max Age  Have the user change their password on a regular basis.  The idea is to change the password before the hacker has enough time to guess / crack the password.
  • 6. Windows Tour – Password History  Without keeping a password history, the user can set their new password to the old password.  Keeping a history with Windows only stops new passwords that exactly match the old ones, not variations (like incrementing a number on the end).
  • 7. Windows Tour – Min Age  Some users like their old password.  In 5 minutes, they will go through the 13 password changes to get “back” to the one they had yesterday.  Minimum password age forces them to keep their first password change for a minimum amount of time.
  • 8. Windows Tour – Password Complexity The password must contain 3 of 4 character sets (a-z, A-Z, 0-9, special) and the password cannot contain the username or part of the full name.
  • 9. Complexity allows weak passwords Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords: Password123 Company2015 January1 P@ssw0rd LetMeIn2015 Photoshop1
  • 10. Windows Tour – Reversible Encryption  No one knows what it is or where it is documented but they know it is not a good idea.  Encryption can be reversed, hashes cannot.  Passwords should be stored as “salted” hashes that are not reversible. Windows does not salt, but at least hashes the passwords.
  • 11. Standard Windows Password Change The user is not made aware of the password requirements.
  • 12. Standard Windows Password Error The error message is not very helpful.
  • 13. The Problems  Weak passwords are allowed and are an easy target for hackers, malware, viruses, spear phishing, etc.  The one size fits all policy forces large organizations to dumb down their password policy. The bigger the company, the easier to hack.  The user is not given the requirements needed during password creation causing frustration and confusion.  The Windows policy does not meet the specific requirements of PCI or NERC compliance.  Users can easily increment passwords with a number.
  • 14. nFront Password Filter
  • 15. What is nFront Password Filter  nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.  The standard Windows password policy cannot meet most industry compliance requirements. Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and malware.
  • 16. nFront Password Filter Features  Policies are granular with over 40 rules per policy and rules to meet all compliance requirements.  Up to 6 different granular password policies in one Windows Domain  A dictionary option to prevent millions of common passwords is less than one second  One checkbox to meet password specific compliance requirements  An optional client to clearly show the password rules and an improved failure message
  • 17. Easy to implement and configure  Install and configure in less than 5 minutes.  Centrally managed via Group Policy.  No reboots needed for patches or upgrades.
  • 18. nFront Password Filter Benefits  Better Passwords = Better Security  No more weak, easily hacked passwords on the network.  A proactive solution instead of a reactive one.  Eliminate or simplify compliance paperwork.  Pass security audits  No more dumbing down your password policy. You can use more restrictive policies for more privileged users.
  • 19. Multiple Policies Create up to 6 different password policies with each policy targeting one or more security groups or OUs.
  • 20. Eliminate Password Repetition Variations of the old password can be rejected. Windows - Good nFront - Even Better
  • 21. Prevent Common Passwords  The dictionary substring search can efficiently check to see if the password contains millions of common passwords in less than one second.  The client failure message can show the exact dictionary word that is disallowed.
  • 22. One Step Compliance nFront Password Filter provides features that Windows cannot - such as one step PCI Compliance.
  • 23. nFront User Experience – Windows 7 Password rules are displayed during the password change process. An optional strength meter can be displayed.
  • 24. nFront User Experience – Win7 A much better error message is given. It evens includes the dictionary word if dictionary checking is enforced.
  • 25. nFront User Experience – Windows XP Password rules are displayed during the password change process. An optional strength meter and clearer error message can be displayed.
  • 26. nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.
  • 27. nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.  Can be branded with your corporate logo and other customizations.
  • 28. nFront Web Password Change Experience Upon typing a username the password requirements are displayed.
  • 29. nFront Web Password Change Experience When an unacceptable password is submitted a detailed error is returned in orange above the rules.
  • 30. Why some companies do not use a better password policy
  • 31. It costs too much So you can spend $$$$ on an expensive web application firewall but still allow internal and external users to have passwords like Password123 Really?
  • 32. Users will write down passwords Some users will write down there passwords. We understand. *A shock collar can help with this When the weak password that was not written down gives external hackers and malware access to your customer data you may want to reconsider. *may not be HR approved
  • 33. We have a strong written password policy A strong written password policy is a great idea. Chances are Windows alone cannot enforce it. Unless you force the users to meet the requirements, you likely have a lot of passwords in use that do not meet the written requirements.
  • 34. We run password crackers periodically Self-diagnostics are great but why do you want to ALLOW WEAK PASSWORDS ON THE NETWORK for weeks or months and MANUALLY RUN A PASSWORD CRACKER when You can automate the process and prevent the bad passwords.
  • 35. Which network would you hack?
  • 36. “Friends do not let friends use bad passwords”
  • 37. From the nFront Team, Thank You For questions regarding nFront Security products or compliance please visit nFrontSecurity.com