Active Directory password reset best practices

Password change and password reset are terms that are often used interchangeably. However, they are not the same. A user will perform a password change when they remember their existing password, and a password reset when they have forgotten it.

The two use cases are inherently tied to an organization’s domain password policy which traditionally encompass password complexity, length, and change frequency requirements. With a sound policy in place, users will need to follow the composition requirements when changing or resetting their passwords.
But, what makes a password policy secure? There isn’t a shortage of regulatory and standard bodies that have weighed on this very topic. This article looks at what can be achieved using the native Active Directory (AD) Group Policy settings, including key capabilities that increase password security while balancing the user experience.

Active Directory password expiration

Password Expiration can be configured using the Maximum Password Age setting within the Default Domain Policy in the Group Policy Management Console. The setting is applied to all domain computers and users.

Maximum password age dictates the amount of days a password can be used before the user is forced to change it. The default value is 42 days but IT admins can adjust it, or set it to never expire, by setting the number of days to 0.

Windows password policy settings

Other Windows password policy settings include:

• Enforce password history determines the number of old/previously used passwords stored in AD to prevent users from using a previously used password. The default and maximum value is set to the previous 24 passwords.
• Minimum password age dictates how often a user can change their password following a password change. This prevents a user from reverting to a previously used password, circumventing the password history rule; by changing it 24 times in a row for example. The default value is set to 1 day.
• Minimum password length enforces the character length of the password.
• Password must meet complexity requirements utilized to ensure that the password cannot contain the user’s account name or display/full name, and must include three of the five-character types: upper-case letter, lower-case letters, numbers, special characters and Unicode.
• Store passwords using reversible encryption allows passwords to be stored in AD almost in plain-text, which is highly insecure, but sometimes needed to grant password access to certain applications.

These settings are meant to increase password security but can have a negative effect on end users. Complex passwords result in forgotten passwords as such anytime password complexity is introduced there will be an uptick in helpdesk password reset calls. According to Gartner research firm these can account for 30-40% of support costs.

To deflect password reset calls from the helpdesk, it is recommended that organizations implement passphrases which are outside of the scope of Active Directory. Passphrases are long passwords made up of unrelated words which are harder to crack but easier for users to remember. In fact, the National Institute of Standards and Technology (NIST) recommends using them with their 64-character maximum length requirement, however they do advise to eliminate password expiration as it can lead to users making poor password construction decisions.

Eliminating password expiry can leave an organization exposed indefinitely if an attacker has gotten hold of a user’s account. A better approach is to utilize length-based password aging. This combined with passphrases can ensure that users are incentivized to create longer stronger passwords by rewarding them with less frequent changes. Forced password changes are always going to cause users some disruption but the aforementioned features can alleviate some of the frustration. Another important consideration is to ensure that password rules are displayed dynamically to users as they are changing their passwords. If there is too much guess work involved users will revert to calling the helpdesk.

Active Directory password reset

Even with user-oriented features as noted in the section above, password reset calls to the helpdesk will still occur. Active Directory password resets are most commonly performed by using Active Directory Users and Computers. With just a few clicks a user’s password can be reset. This can be accomplished using other methods; the Active Administrator Center user interface or PowerShell are two examples.

A current gap within organizations is user identity verification – most rely on insecure methods, such as employee ID or security questions. In fact, password reset user verification is not mentioned in recommendations set forth by industry, or regulatory bodies, although it is a highly exploited attack vector. This is where proactive steps are necessary.

Given that password reset calls to the service desk take a significant percentage of the support call load in order to this cost and maximize security, organizations must look to a self-service password reset solution. The solution should support secure user verification methods, that go beyond security questions, although widely utilized answers to questions are cumbersome for users to recall. Security questions are also recognized as an insecure form of authentication due to social engineering. More secure forms of authentication should be considered especially ones that are already in use to eliminate the need for users to have to enroll in the system while extending the ROI of existing assets.

Active Directory password reset and change best practices

Ultimately, there isn’t a one-size fits all approach. IT departments need to balance the user experience while maximizing security. When setting a secure password policy, consider following these password change/password reset best practices:

• Turn on password expiration with length-based password aging to promote secure password construction behavior while reducing risk.
• Secure all password reset scenarios at the helpdesk and self-service with more secure forms of authentication.
• Display password rules dynamically to users changing or resetting their passwords. Frustrated users will contact the helpdesk.

You can start balancing the scale today with Specops uReset, a self-service password reset solution facilitating Active Directory password resets and changes. Through a graphic password policy rule display, the solution reduces errors and guess-work for end-users. Its robust multi-factor authentication engine includes various forms of user-verification that can extend authentication security to the helpdesk.