SlideShare a Scribd company logo

The Windows Password Policy is Not Enough

Download as PPTX, PDF
nFront Security
nFront Security
Technology
1 of 37
The Windows Password Policy Is Not Enough
Roadmap  Windows Password Policy Tour  The problems  The user experience  The nFront Password Filter solution
Windows Password Policy Tour  Let’s tour the options available with the Windows Password Policy.  Keep in mind the one policy applies to all users and multiple policies are not possible** **If all DCs are 2008 or 2012 you can do fine grained policies. The rules are the same (not granular) but you can apply different rules to different OUs.
Windows Tour – Min Length  Require a minimum length.  Longer passwords are more difficult to hack.  Ideally 15 characters or more is best due to Rainbow Tables.
Windows Tour – Max Age  Have the user change their password on a regular basis.  The idea is to change the password before the hacker has enough time to guess / crack the password.
Windows Tour – Password History  Without keeping a password history, the user can set their new password to the old password.  Keeping a history with Windows only stops new passwords that exactly match the old ones, not variations (like incrementing a number on the end).
Windows Tour – Min Age  Some users like their old password.  In 5 minutes, they will go through the 13 password changes to get “back” to the one they had yesterday.  Minimum password age forces them to keep their first password change for a minimum amount of time.
Windows Tour – Password Complexity The password must contain 3 of 4 character sets (a-z, A-Z, 0-9, special) and the password cannot contain the username or part of the full name.
Complexity allows weak passwords Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords: Password123 Company2015 January1 P@ssw0rd LetMeIn2015 Photoshop1
Windows Tour – Reversible Encryption  No one knows what it is or where it is documented but they know it is not a good idea.  Encryption can be reversed, hashes cannot.  Passwords should be stored as “salted” hashes that are not reversible. Windows does not salt, but at least hashes the passwords.
Standard Windows Password Change The user is not made aware of the password requirements.
Standard Windows Password Error The error message is not very helpful.
The Problems  Weak passwords are allowed and are an easy target for hackers, malware, viruses, spear phishing, etc.  The one size fits all policy forces large organizations to dumb down their password policy. The bigger the company, the easier to hack.  The user is not given the requirements needed during password creation causing frustration and confusion.  The Windows policy does not meet the specific requirements of PCI or NERC compliance.  Users can easily increment passwords with a number.
nFront Password Filter
What is nFront Password Filter  nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.  The standard Windows password policy cannot meet most industry compliance requirements. Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and malware.
nFront Password Filter Features  Policies are granular with over 40 rules per policy and rules to meet all compliance requirements.  Up to 6 different granular password policies in one Windows Domain  A dictionary option to prevent millions of common passwords is less than one second  One checkbox to meet password specific compliance requirements  An optional client to clearly show the password rules and an improved failure message
Easy to implement and configure  Install and configure in less than 5 minutes.  Centrally managed via Group Policy.  No reboots needed for patches or upgrades.
nFront Password Filter Benefits  Better Passwords = Better Security  No more weak, easily hacked passwords on the network.  A proactive solution instead of a reactive one.  Eliminate or simplify compliance paperwork.  Pass security audits  No more dumbing down your password policy. You can use more restrictive policies for more privileged users.
Multiple Policies Create up to 6 different password policies with each policy targeting one or more security groups or OUs.
Eliminate Password Repetition Variations of the old password can be rejected. Windows - Good nFront - Even Better
Prevent Common Passwords  The dictionary substring search can efficiently check to see if the password contains millions of common passwords in less than one second.  The client failure message can show the exact dictionary word that is disallowed.
One Step Compliance nFront Password Filter provides features that Windows cannot - such as one step PCI Compliance.
nFront User Experience – Windows 7 Password rules are displayed during the password change process. An optional strength meter can be displayed.
nFront User Experience – Win7 A much better error message is given. It evens includes the dictionary word if dictionary checking is enforced.
nFront User Experience – Windows XP Password rules are displayed during the password change process. An optional strength meter and clearer error message can be displayed.
nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.
nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.  Can be branded with your corporate logo and other customizations.
nFront Web Password Change Experience Upon typing a username the password requirements are displayed.
nFront Web Password Change Experience When an unacceptable password is submitted a detailed error is returned in orange above the rules.
Why some companies do not use a better password policy
It costs too much So you can spend $$$$ on an expensive web application firewall but still allow internal and external users to have passwords like Password123 Really?
Users will write down passwords Some users will write down there passwords. We understand. *A shock collar can help with this When the weak password that was not written down gives external hackers and malware access to your customer data you may want to reconsider. *may not be HR approved
We have a strong written password policy A strong written password policy is a great idea. Chances are Windows alone cannot enforce it. Unless you force the users to meet the requirements, you likely have a lot of passwords in use that do not meet the written requirements.
We run password crackers periodically Self-diagnostics are great but why do you want to ALLOW WEAK PASSWORDS ON THE NETWORK for weeks or months and MANUALLY RUN A PASSWORD CRACKER when You can automate the process and prevent the bad passwords.
Which network would you hack?
“Friends do not let friends use bad passwords”
From the nFront Team, Thank You For questions regarding nFront Security products or compliance please visit nFrontSecurity.com

Recommended

PCI Password Policy Compliance
PCI Password Policy CompliancePCI Password Policy Compliance
PCI Password Policy Compliance
nFront Security
 
How a Windows Password Filters Works
How a Windows Password Filters WorksHow a Windows Password Filters Works
How a Windows Password Filters Works
nFront Security
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
CARMEN ALCIVAR
 
Auditing a Wireless Network and Planning for a Secure WLAN Implementation
Auditing a Wireless Network and Planning for a Secure WLAN ImplementationAuditing a Wireless Network and Planning for a Secure WLAN Implementation
Auditing a Wireless Network and Planning for a Secure WLAN Implementation
CARMEN ALCIVAR
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
Paula Januszkiewicz
 
example of sql injection
example of sql injectionexample of sql injection
example of sql injection
CARMEN ALCIVAR
 
Password management
Password managementPassword management
Password management
PortalGuard dba PistolStar, Inc.
 

Recommended

PCI Password Policy Compliance
PCI Password Policy CompliancePCI Password Policy Compliance
PCI Password Policy Compliance
nFront Security
 
How a Windows Password Filters Works
How a Windows Password Filters WorksHow a Windows Password Filters Works
How a Windows Password Filters Works
nFront Security
 
Packet capture and network traffic analysis
Packet capture and network traffic analysisPacket capture and network traffic analysis
Packet capture and network traffic analysis
CARMEN ALCIVAR
 
Auditing a Wireless Network and Planning for a Secure WLAN Implementation
Auditing a Wireless Network and Planning for a Secure WLAN ImplementationAuditing a Wireless Network and Planning for a Secure WLAN Implementation
Auditing a Wireless Network and Planning for a Secure WLAN Implementation
CARMEN ALCIVAR
 
12 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 201712 Crucial Windows Security Skills for 2017
12 Crucial Windows Security Skills for 2017
Paula Januszkiewicz
 
30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro 30 Cybersecurity Skills You Need To Become a Windows Security Pro
30 Cybersecurity Skills You Need To Become a Windows Security Pro
Paula Januszkiewicz
 
example of sql injection
example of sql injectionexample of sql injection
example of sql injection
CARMEN ALCIVAR
 
Password management
Password managementPassword management
Password management
PortalGuard dba PistolStar, Inc.
 
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
Paula Januszkiewicz
 
encryption and hash algorithms
encryption and hash algorithmsencryption and hash algorithms
encryption and hash algorithms
CARMEN ALCIVAR
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
Jiri Danihelka
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
Paula Januszkiewicz
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
Rashid Khatmey
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
Paula Januszkiewicz
 
Capstone build it break it fix it
Capstone build it break it fix itCapstone build it break it fix it
Capstone build it break it fix it
Matt Vieyra
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 
Top 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersTop 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developers
Jiri Danihelka
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
Nagasahas DS
 
18 hacking
18 hacking18 hacking
18 hacking
Sai Srinivas
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
Paula Januszkiewicz
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
shwetaupadhyay
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
Ezhilan Elangovan (Eril)
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
Rashid Khatmey
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Quick Heal Technologies Ltd.
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
Võ Thái Lâm
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
Ishan Girdhar
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
Jiri Danihelka
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway Protection
Quick Heal Technologies Ltd.
 
Problems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password PoliciesProblems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password Policies
Michael J Geiser
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
PortalGuard
 

More Related Content

What's hot

encryption and hash algorithms
encryption and hash algorithmsencryption and hash algorithms
encryption and hash algorithms
CARMEN ALCIVAR
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault
 

What's hot (20)

RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
RSA Conference 2017 session: Hacker’s Perspective on Your Windows Infrastruct...
 
encryption and hash algorithms
encryption and hash algorithmsencryption and hash algorithms
encryption and hash algorithms
 
Security hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developersSecurity hardening and drown attack prevention for mobile backend developers
Security hardening and drown attack prevention for mobile backend developers
 
rsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewiczrsa-usa-2019-keynote-paula-januszkiewicz
rsa-usa-2019-keynote-paula-januszkiewicz
 
4 . future uni presentation
4 . future uni presentation4 . future uni presentation
4 . future uni presentation
 
12 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 201812 Crucial Windows Security Skills for 2018
12 Crucial Windows Security Skills for 2018
 
Capstone build it break it fix it
Capstone build it break it fix itCapstone build it break it fix it
Capstone build it break it fix it
 
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
AlienVault Brute Force Attacks- Keeping the Bots at Bay with AlienVault USM +...
 
Top 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developersTop 10 security risks for mobile backend developers
Top 10 security risks for mobile backend developers
 
Introduction to security testing
Introduction to security testingIntroduction to security testing
Introduction to security testing
 
18 hacking
18 hacking18 hacking
18 hacking
 
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...The hacker playbook: How to think and act like a cybercriminal to reduce risk...
The hacker playbook: How to think and act like a cybercriminal to reduce risk...
 
Explore Security Testing
Explore Security TestingExplore Security Testing
Explore Security Testing
 
Security-testing presentation
Security-testing presentationSecurity-testing presentation
Security-testing presentation
 
2 . web app s canners
2 . web app s canners2 . web app s canners
2 . web app s canners
 
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...Centralized Patch Management - Proven Security Approach for Ransomware Protec...
Centralized Patch Management - Proven Security Approach for Ransomware Protec...
 
Top 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn CườngTop 10 mobile security risks - Khổng Văn Cường
Top 10 mobile security risks - Khổng Văn Cường
 
Pentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 IssuePentesting Your Own Wireless Networks, June 2011 Issue
Pentesting Your Own Wireless Networks, June 2011 Issue
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Next-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway ProtectionNext-Gen Security Solution: Gateway Protection
Next-Gen Security Solution: Gateway Protection
 

Similar to The Windows Password Policy is Not Enough

Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
PortalGuard
 
Basic Security Requirements
Basic Security RequirementsBasic Security Requirements
Basic Security Requirements
Steven Cahill
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and Compliance
PortalGuard
 
Windows 7 for IT Professionals
Windows 7 for IT ProfessionalsWindows 7 for IT Professionals
Windows 7 for IT Professionals
Rishu Mehra
 

Similar to The Windows Password Policy is Not Enough (20)

Problems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password PoliciesProblems with Password Change Lockout Periods in Password Policies
Problems with Password Change Lockout Periods in Password Policies
 
Sever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple PasswordsSever-based Password Synchronization: Managing Multiple Passwords
Sever-based Password Synchronization: Managing Multiple Passwords
 
Basic Security Requirements
Basic Security RequirementsBasic Security Requirements
Basic Security Requirements
 
nFront Password Filter Overview
nFront Password Filter OverviewnFront Password Filter Overview
nFront Password Filter Overview
 
Password Manager
Password ManagerPassword Manager
Password Manager
 
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment ChallengesSuccessful Enterprise Single Sign-on: Addressing Deployment Challenges
Successful Enterprise Single Sign-on: Addressing Deployment Challenges
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Data security and compliancy in Office 365
Data security and compliancy in Office 365Data security and compliancy in Office 365
Data security and compliancy in Office 365
 
Configurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and ComplianceConfigurable Password Management: Balancing Usability and Compliance
Configurable Password Management: Balancing Usability and Compliance
 
Ch10 system administration
Ch10 system administration Ch10 system administration
Ch10 system administration
 
Ch10
Ch10Ch10
Ch10
 
Windows 7 for IT Professionals
Windows 7 for IT ProfessionalsWindows 7 for IT Professionals
Windows 7 for IT Professionals
 
Password Strength Policy Query
Password Strength Policy QueryPassword Strength Policy Query
Password Strength Policy Query
 
Centralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows DesktopCentralized Self-service Password Reset: From the Web and Windows Desktop
Centralized Self-service Password Reset: From the Web and Windows Desktop
 
Password Management
Password ManagementPassword Management
Password Management
 
The 10 Commandments of Computer Security
The 10 Commandments of Computer SecurityThe 10 Commandments of Computer Security
The 10 Commandments of Computer Security
 
Tips for Successful WordPress Enterprise Projects
Tips for Successful WordPress Enterprise ProjectsTips for Successful WordPress Enterprise Projects
Tips for Successful WordPress Enterprise Projects
 
Self-service Password Reset
Self-service Password ResetSelf-service Password Reset
Self-service Password Reset
 
ILANTUS Password Express FAQs
ILANTUS Password Express FAQsILANTUS Password Express FAQs
ILANTUS Password Express FAQs
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
 

Recently uploaded

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 

Recently uploaded (20)

HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

The Windows Password Policy is Not Enough

  • 1. The Windows Password Policy Is Not Enough
  • 2. Roadmap  Windows Password Policy Tour  The problems  The user experience  The nFront Password Filter solution
  • 3. Windows Password Policy Tour  Let’s tour the options available with the Windows Password Policy.  Keep in mind the one policy applies to all users and multiple policies are not possible** **If all DCs are 2008 or 2012 you can do fine grained policies. The rules are the same (not granular) but you can apply different rules to different OUs.
  • 4. Windows Tour – Min Length  Require a minimum length.  Longer passwords are more difficult to hack.  Ideally 15 characters or more is best due to Rainbow Tables.
  • 5. Windows Tour – Max Age  Have the user change their password on a regular basis.  The idea is to change the password before the hacker has enough time to guess / crack the password.
  • 6. Windows Tour – Password History  Without keeping a password history, the user can set their new password to the old password.  Keeping a history with Windows only stops new passwords that exactly match the old ones, not variations (like incrementing a number on the end).
  • 7. Windows Tour – Min Age  Some users like their old password.  In 5 minutes, they will go through the 13 password changes to get “back” to the one they had yesterday.  Minimum password age forces them to keep their first password change for a minimum amount of time.
  • 8. Windows Tour – Password Complexity The password must contain 3 of 4 character sets (a-z, A-Z, 0-9, special) and the password cannot contain the username or part of the full name.
  • 9. Complexity allows weak passwords Even with the password complexity requirement enabled, the standard Windows Password Policy still allows weak passwords: Password123 Company2015 January1 P@ssw0rd LetMeIn2015 Photoshop1
  • 10. Windows Tour – Reversible Encryption  No one knows what it is or where it is documented but they know it is not a good idea.  Encryption can be reversed, hashes cannot.  Passwords should be stored as “salted” hashes that are not reversible. Windows does not salt, but at least hashes the passwords.
  • 11. Standard Windows Password Change The user is not made aware of the password requirements.
  • 12. Standard Windows Password Error The error message is not very helpful.
  • 13. The Problems  Weak passwords are allowed and are an easy target for hackers, malware, viruses, spear phishing, etc.  The one size fits all policy forces large organizations to dumb down their password policy. The bigger the company, the easier to hack.  The user is not given the requirements needed during password creation causing frustration and confusion.  The Windows policy does not meet the specific requirements of PCI or NERC compliance.  Users can easily increment passwords with a number.
  • 15. What is nFront Password Filter  nFront Password Filter is a password policy enforcement solution that provides multiple, granular password policies for Windows domains.  The standard Windows password policy cannot meet most industry compliance requirements. Without nFront Password Filter your network likely allows weak passwords that are an easy target for hackers and malware.
  • 16. nFront Password Filter Features  Policies are granular with over 40 rules per policy and rules to meet all compliance requirements.  Up to 6 different granular password policies in one Windows Domain  A dictionary option to prevent millions of common passwords is less than one second  One checkbox to meet password specific compliance requirements  An optional client to clearly show the password rules and an improved failure message
  • 17. Easy to implement and configure  Install and configure in less than 5 minutes.  Centrally managed via Group Policy.  No reboots needed for patches or upgrades.
  • 18. nFront Password Filter Benefits  Better Passwords = Better Security  No more weak, easily hacked passwords on the network.  A proactive solution instead of a reactive one.  Eliminate or simplify compliance paperwork.  Pass security audits  No more dumbing down your password policy. You can use more restrictive policies for more privileged users.
  • 19. Multiple Policies Create up to 6 different password policies with each policy targeting one or more security groups or OUs.
  • 20. Eliminate Password Repetition Variations of the old password can be rejected. Windows - Good nFront - Even Better
  • 21. Prevent Common Passwords  The dictionary substring search can efficiently check to see if the password contains millions of common passwords in less than one second.  The client failure message can show the exact dictionary word that is disallowed.
  • 22. One Step Compliance nFront Password Filter provides features that Windows cannot - such as one step PCI Compliance.
  • 23. nFront User Experience – Windows 7 Password rules are displayed during the password change process. An optional strength meter can be displayed.
  • 24. nFront User Experience – Win7 A much better error message is given. It evens includes the dictionary word if dictionary checking is enforced.
  • 25. nFront User Experience – Windows XP Password rules are displayed during the password change process. An optional strength meter and clearer error message can be displayed.
  • 26. nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.
  • 27. nFront Web Password Change nFront Web Password Change is an application for IIS that provides a password change portal that is “nFront” aware.  Eliminates the need to deploy optional software client to workstations.  Can be integrated with existing intranet.  Can be branded with your corporate logo and other customizations.
  • 28. nFront Web Password Change Experience Upon typing a username the password requirements are displayed.
  • 29. nFront Web Password Change Experience When an unacceptable password is submitted a detailed error is returned in orange above the rules.
  • 30. Why some companies do not use a better password policy
  • 31. It costs too much So you can spend $$$$ on an expensive web application firewall but still allow internal and external users to have passwords like Password123 Really?
  • 32. Users will write down passwords Some users will write down there passwords. We understand. *A shock collar can help with this When the weak password that was not written down gives external hackers and malware access to your customer data you may want to reconsider. *may not be HR approved
  • 33. We have a strong written password policy A strong written password policy is a great idea. Chances are Windows alone cannot enforce it. Unless you force the users to meet the requirements, you likely have a lot of passwords in use that do not meet the written requirements.
  • 34. We run password crackers periodically Self-diagnostics are great but why do you want to ALLOW WEAK PASSWORDS ON THE NETWORK for weeks or months and MANUALLY RUN A PASSWORD CRACKER when You can automate the process and prevent the bad passwords.
  • 35. Which network would you hack?
  • 36. “Friends do not let friends use bad passwords”
  • 37. From the nFront Team, Thank You For questions regarding nFront Security products or compliance please visit nFrontSecurity.com