Password security in Enterprise
Even today, passwords are generally insecure, often re-used, easy to guess and users can be tricked into giving them out. In fact, passwords don’t guarantee the user is who they say they are at all.
Most systems enforce a form of password security, which is generally a series of guidelines to ensure users cannot use something very simple and easy to guess for their password e.g. password, 1234 and qwerty.
Normally organisations use password complexity rules alongside expiration rules setting a password’s lifetime for 30 to 90 days. At this point however, users will generally modify their existing password slightly by changing a few characters at the front or the back of the phrase.
The ability to guess a password can often be easier in an enterprise environment as we can assume that most users’ passwords will start with a capital, be minimum number of characters and end with a number or a symbol.
The danger with this is that it reduces the number of possible variations for software cracking software. Password spray attacks can also be very effective against in active directory if the attacker knows the password policy.
Password re-use
Users generally re-use the same passwords across multiple systems inside and outside your organisation. Meaning a breach of an online service may give an attacker access to your organisation.
According to a study, among 28.8 million users, 38% have reused the same password in two different services
Tricking users to give out passwords
In recent years phishing has become one of the most common ways of getting corporate users to provide their details in order to breach their accounts. Social engineering attacks are incredibly difficult to guard against and require constant vigilance from both the organisation and its employees.
The solution is simpler than you think
These risks can be overcome with modern, cryptographically backed authentication mechanisms based on something that the user has (i.e. FIDO2 key, mobile device), or based on who the user is (i.e. biometrics).
Whereas a password can be learned, it’s far more difficult to mimic biometrics or a cryptographic token and users cannot be coerced into giving them away.
What tools does Microsoft offer to help me?
Biometric authentication with Windows Hello for business, going password-less with Microsoft Authenticator (currently in public preview) and support for FIDO2 keys are tools available.
As you move to Microsoft 365 and start leveraging the Microsoft productivity suite of apps that support Modern Authentication you can start to go password-less.
Modern authentication enables sign-in features such as Multi-Factor Authentication (MFA), SAML-based third-party Identity Providers, smart card and certificate-based authentication, and it removes the need for the Microsoft productivity apps to use the basic authentication protocol.
Basic authentication is the old way for a client to authenticate to a server. During this authentication, the clients sends it’s username and password to the server every time.
Going password-less will not only improve your user experience but will significantly improve the security of your organisation.