A password is something you know, and this has been the standard means of authenticating users’ identities for many years. Password authentication costs nothing to implement, and it can be relatively secure. However, there are many possible flaws in the password authentication model. For example, passwords can be forgotten, shared, written down, easily guessed, or overly simple.
Administrators can create policies that specify rules for creating and maintaining passwords to prevent users from creating passwords that provide too little security. Operating systems and directory services, such as Entra ID and AD DS, include tools that administrators can use to create and enforce such policies.
In Entra ID, user accounts are subject to the following password policies:
- Characters allowed Specifies the characters that users may use when creating passwords, including upper- and lowercase alphabetical characters, numbers, blank spaces, and most symbols.
- Password restrictions Specifies that passwords must have from 8 to 256 characters and contain three of the following four character types: uppercase, lowercase, number, and symbol.
- Password expiry duration Specifies that passwords expire in 90 days by default. The value can be modified using the Set-MsolUser PowerShell cmdlet.
- Password expiry notification Specifies that the user will receive a password expiration notification 14 days before the password is set to expire. The value can be modified using the Set-MsolPasswordPolicy PowerShell cmdlet.
- Password expiry Specifies a default value of False, indicating that the password will expire after the Passwords expiry duration interval. The value can be modified using the Set-MsolUser PowerShell cmdlet.
- Password change history Specifies that users cannot reuse the same password when changing passwords.
- Password reset history Specifies that users can reuse the same password when resetting a forgotten password.
- Account lockout Causes users to be locked out of their accounts for one minute after 10 unsuccessful but unique sign-in attempts. Additional unsuccessful attempts result in longer lockout intervals.
In AD DS, administrators can configure password settings using Group Policy. The available settings have slightly different names, but their functions are essentially the same.
These password policies are designed to prevent users from creating overly simple passwords for convenience, but password security is difficult for administrators to enforce. Users can still create passwords that would be easy for attackers to guess by using their children’s names and birthdays, for example. There is also no software setting that can prevent users from writing their passwords down or sharing them with their coworkers.
As threats to network security become ever more severe, administrators have sought ways to enhance the security of the authentication process. Alternative authentication methods have been available for many years, which could conceivably augment or replace passwords, but until recently, these technologies were too expensive or inconvenient to be practical for the average user base. The increased need for identity protection has brought these authentication technologies to a wider market, resulting in lower prices. And the need is constantly increasing. Microsoft 365 includes the ability to enhance the authentication process’s security in various ways.
Multifactor authentication
Multifactor authentication is a procedure in which users prove their identities in two or more ways. Typically, in addition to a password—something you know—users must supply a different authentication factor: something you are or something you have.
Leave a Reply