Your SlideShare is downloading. ×
0
The Windows Password Policy
Is Not Enough
Roadmap
 Windows Password Policy Tour
 The problems
 The user experience
 The nFront Password Filter solution
Windows Password Policy Tour
 Let’s tour the options available with the
Windows Password Policy.
 Keep in mind the one p...
Windows Tour – Min Length
 Require a minimum length.
 Longer passwords are more difficult to hack.
 Ideally 15 characte...
Windows Tour – Max Age
 Have the user change their password on a
regular basis.
 The idea is to change the password befo...
Windows Tour – Password History
 Without keeping a password history, the user
can set their new password to the old
passw...
Windows Tour – Min Age
 Some users like their old password.
 In 5 minutes, they will go through the 13
password changes ...
Windows Tour – Password Complexity
The password must contain 3 of 4 character sets
(a-z, A-Z, 0-9, special) and the passwo...
Complexity allows weak passwords
Even with the password complexity requirement enabled,
the standard Windows Password Poli...
Windows Tour – Reversible Encryption
 No one knows what it is or where it is documented
but they know it is not a good id...
Standard Windows Password Change
The user is not made aware of the password
requirements.
Standard Windows Password Error
The error message is not very helpful.
The Problems
 Weak passwords are allowed and are an easy target
for hackers, malware, viruses, spear phishing, etc.
 The...
nFront Password Filter
What is nFront Password Filter
 nFront Password Filter is a password policy
enforcement solution that provides multiple,
...
nFront Password Filter Features
 Policies are granular with over 40 rules per policy
and rules to meet all compliance req...
Easy to implement and configure
 Install and configure in less than 5 minutes.
 Centrally managed via Group Policy.
 No...
nFront Password Filter Benefits
 Better Passwords = Better Security
 No more weak, easily hacked passwords on the
networ...
Multiple Policies
Create up to 6 different password policies with each
policy targeting one or more security groups or OUs.
Eliminate Password Repetition
Variations of the old password can be
rejected.
Windows - Good nFront - Even Better
Prevent Common Passwords
 The dictionary substring search can efficiently
check to see if the password contains millions ...
One Step Compliance
nFront Password Filter provides features
that Windows cannot - such as one
step PCI Compliance.
nFront User Experience – Windows 7
Password rules are displayed during the password
change process. An optional strength m...
nFront User Experience – Win7
A much better error message is given. It evens
includes the dictionary word if dictionary
ch...
nFront User Experience – Windows XP
Password rules are displayed during the password
change process. An optional strength ...
nFront Web Password Change
nFront Web Password Change is an application
for IIS that provides a password change portal
tha...
nFront Web Password Change
nFront Web Password Change is an application for IIS
that provides a password change portal tha...
nFront Web Password Change Experience
Upon typing a username the password requirements
are displayed.
nFront Web Password Change Experience
When an unacceptable password is submitted a
detailed error is returned in orange ab...
Why some companies
do not use
a better password policy
It costs too much
So you can spend $$$$ on an expensive web
application firewall but still allow internal and
external use...
Users will write down passwords
Some users will write down there passwords.
We understand.
*A shock collar can help with t...
We have a strong written password policy
A strong written password policy is a great idea.
Chances are Windows alone canno...
We run password crackers periodically
Self-diagnostics are great
but why do you want to
ALLOW WEAK PASSWORDS ON THE NETWOR...
Which network would you hack?
“Friends do not let friends use
bad passwords”
From the nFront Team, Thank You
For questions regarding nFront Security
products or compliance please visit
nFrontSecurity...
Upcoming SlideShare
Loading in...5
×

The Windows Password Policy is Not Enough

893

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
893
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "The Windows Password Policy is Not Enough"

  1. 1. The Windows Password Policy Is Not Enough
  2. 2. Roadmap  Windows Password Policy Tour  The problems  The user experience  The nFront Password Filter solution
  3. 3. Windows Password Policy Tour  Let’s tour the options available with the Windows Password Policy.  Keep in mind the one policy applies to all users and multiple policies are not possible** **If all DCs are 2008 or 2012 you can do fine grained policies. The rules are the same (not granular) but you can apply different rules to different OUs.
  4. 4. Windows Tour – Min Length  Require a minimum length.  Longer passwords are more difficult to hack.  Ideally 15 characters or more is best due to Rainbow Tables.
  5. 5. Windows Tour – Max Age  Have the user change their password on a regular basis.  The idea is to change the password before the hacker has enough time to guess / crack the password.
  6. 6. Windows Tour – Password History  Without keeping a password history, the user can set their new password to the old password.  Keeping a history with Windows only stops new passwords that exactly match the old ones, not variations (like incrementing a number on the end).
  7. 7. Windows Tour – Min Age  Some users like their old password.  In 5 minutes, they will go through the 13 password changes to get “back” to the one they had yesterday.  Minimum password age forces them to keep their first password change for a minimum amount of time.
  8. 8. Windows Tour – Password Complexity The password must contain 3 of 4 character sets (a-z, A-Z, 0-9, special) and the password cannot contain the username or part of the full name.
  9. 9. Complexity allows weak passwords Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords: Password123 Company2015 January1 P@ssw0rd LetMeIn2015 Photoshop1
  10. 10. Windows Tour – Reversible Encryption  No one knows what it is or where it is documented but they know it is not a good idea.  Encryption can be reversed, hashes cannot.  Passwords should be stored as “salted” hashes that are not reversible. Windows does not salt, but at least hashes the passwords.
  11. 11. Standard Windows Password Change The user is not made aware of the password requirements.
  12. 12. Standard Windows Password Error The error message is not very helpful.
  13. 13. The Problems  Weak passwords are allowed and are an easy target for hackers, malware, viruses, spear phishing, etc.  The one size fits all policy forces large organizations to dumb down their password policy. The bigger the company, the easier to hack.  The user is not given the requirements needed during password creation causing frustration and confusion.  The Windows policy does not meet the specific requirements of PCI or NERC compliance.  Users can easily increment passwords with a number.
  14. 14. nFront Password Filter
  15. 15. What is nFront Password Filter  nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.  The standard Windows password policy cannot meet most industry compliance requirements. Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and malware.
  16. 16. nFront Password Filter Features  Policies are granular with over 40 rules per policy and rules to meet all compliance requirements.  Up to 6 different granular password policies in one Windows Domain  A dictionary option to prevent millions of common passwords is less than one second  One checkbox to meet password specific compliance requirements  An optional client to clearly show the password rules and an improved failure message
  17. 17. Easy to implement and configure  Install and configure in less than 5 minutes.  Centrally managed via Group Policy.  No reboots needed for patches or upgrades.
  18. 18. nFront Password Filter Benefits  Better Passwords = Better Security  No more weak, easily hacked passwords on the network.  A proactive solution instead of a reactive one.  Eliminate or simplify compliance paperwork.  Pass security audits  No more dumbing down your password policy. You can use more restrictive policies for more privileged users.
  19. 19. Multiple Policies Create up to 6 different password policies with each policy targeting one or more security groups or OUs.
  20. 20. Eliminate Password Repetition Variations of the old password can be rejected. Windows - Good nFront - Even Better
  21. 21. Prevent Common Passwords  The dictionary substring search can efficiently check to see if the password contains millions of common passwords in less than one second.  The client failure message can show the exact dictionary word that is disallowed.
  22. 22. One Step Compliance nFront Password Filter provides features that Windows cannot - such as one step PCI Compliance.
  23. 23. nFront User Experience – Windows 7 Password rules are displayed during the password change process. An optional strength meter can be displayed.
  24. 24. nFront User Experience – Win7 A much better error message is given. It evens includes the dictionary word if dictionary checking is enforced.
  25. 25. nFront User Experience – Windows XP Password rules are displayed during the password change process. An optional strength meter and clearer error message can be displayed.
  26. 26. nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.
  27. 27. nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.  Can be branded with your corporate logo and other customizations.
  28. 28. nFront Web Password Change Experience Upon typing a username the password requirements are displayed.
  29. 29. nFront Web Password Change Experience When an unacceptable password is submitted a detailed error is returned in orange above the rules.
  30. 30. Why some companies do not use a better password policy
  31. 31. It costs too much So you can spend $$$$ on an expensive web application firewall but still allow internal and external users to have passwords like Password123 Really?
  32. 32. Users will write down passwords Some users will write down there passwords. We understand. *A shock collar can help with this When the weak password that was not written down gives external hackers and malware access to your customer data you may want to reconsider. *may not be HR approved
  33. 33. We have a strong written password policy A strong written password policy is a great idea. Chances are Windows alone cannot enforce it. Unless you force the users to meet the requirements, you likely have a lot of passwords in use that do not meet the written requirements.
  34. 34. We run password crackers periodically Self-diagnostics are great but why do you want to ALLOW WEAK PASSWORDS ON THE NETWORK for weeks or months and MANUALLY RUN A PASSWORD CRACKER when You can automate the process and prevent the bad passwords.
  35. 35. Which network would you hack?
  36. 36. “Friends do not let friends use bad passwords”
  37. 37. From the nFront Team, Thank You For questions regarding nFront Security products or compliance please visit nFrontSecurity.com
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×