“Why do we have to reset our passwords so often?” It’s one of the most common end-user complaints that cybersecurity teams encounter, but there are ways to address it – and upgrade security at the same time.
By demonstrating the logic behind password reset requirements – and by making other, less noticeable tweaks to standard password settings – it’s possible to greatly enhance password security without generating more end-user frustration or overwhelming the help desk.
It’s probably no surprise that one of the most frequently requested adjustments to standard Microsoft® Active Directory® (Microsoft AD) settings is to relax the requirement that passwords be reset every 90 days.
Most users intuitively understand the need for longer and more complex passwords that make guessing more difficult, but password reset requirements are another story. The purpose of the requirements is to limit the number of guesses an attacker can make, but the reasoning behind them is not always clear to end users – or even to the IT team.
For example, the typical “three guesses before lockout” setting doesn’t tell us much if we don’t also consider the duration of the lockout and the counter reset time. That is, if an attacker makes several unsuccessful attempts and then quits before being locked out, how long before the guess counter resets to zero?
When we factor in that variable, we see that “three guesses before lockout,” combined with the standard 30-minute counter reset, could actually allow 48 pairs of guesses – a total of 96 guesses per day – provided the attacker stops after two unsuccessful attempts and then waits 30 minutes for the counter to reset before trying again.
Ultimately, what matters is the total number of guesses an attacker is allowed over the life of the password. This can be calculated using a simple formula:
(<guesses before lockout> – 1) * (<minutes in a day> / <counter reset time in minutes>) * <number of days the password is valid>
Here’s how that formula would work using standard Microsoft AD settings (three guesses before lockout, a 30-minute counter reset, and a 90-day password reset):
(3 – 1) * (1440/30) * 90 = 8,640 guesses over the life of the password
But look what happens if the password reset is extended to once a year (which is quite common in many companies):
(3 – 1) * (1440/30) * 365 = 35,040 guesses over the life of the password
When the issue is presented this way, most users will recognize that offering hackers an extra 26,400 free guesses is an unacceptable risk.
Bear in mind that longer passwords and more frequent resets are only two elements of the overall password security strategy. In addition to explaining the mathematical logic behind these requirements, IT teams can also boost end-user acceptance by offering some trade-offs that users will appreciate – trade-offs that can actually improve security even more.
For example, here are the standard Microsoft AD password security settings:
We generally recommend clients move up to longer password length requirements, and then adjust some of the other settings to achieve a configuration something like this:
Usually, the counter resets when a user performs a successful login. So the real-world result of the 24-hour counter reset is that attackers will typically get not one but two attempts per day – in this case, two sets of four guesses – once in the morning when an employee logs in and once again after lunch.
Even so, our formula demonstrates that these new settings would dramatically reduce the number of guesses allowed over the life of the password:
(5 – 1) * (2) * 90 = 720 guesses over the life of the password
Allowing users a few more guesses before lockout can help improve user acceptance of longer passwords, while having only a minimal impact on security. The effect is more than offset by the extended counter reset and lockout times. Even extending the password reset requirement to 180 days allows only 1,440 guesses over the life of the password.
When combined with the considerable advantages of longer password length, these settings can significantly enhance security, while minimizing the burden on end users and help desk staff.
Microsoft and Active Directory are registered trademarks of Microsoft Corp. in the United States and/or other countries.
In accordance with applicable professional standards, some firm services may not be available to attest clients.
© 2017 Crowe Horwath LLP, an independent member of Crowe Horwath International.
As of June 1, 2016, the professionals of AbleBridge have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm. We continue our focus on Microsoft Dynamics® CRM (now Dynamics 365) sales and implementation as well as innovative add-on products.
The personnel of SDGblue have joined Crowe Horwath LLP, a public accounting, consulting, and technology firm with a global risk consulting practice and offices around the world. This move provides SDGblue clients access to a broader range of products, services, and solutions, while expanding the Crowe cybersecurity risk management capabilities with a deeply specialized team.
Looking for the Client Login?
Access the SDGblue Client Portal