Prioritizing Passphrases Over Complex Rules
Traditional password complexity rules often backfire. When users are forced to include symbols, numbers, and mixed cases, they tend to rely on predictable patterns like ‘Password!2026.’ A more effective approach is to emphasize password length over complexity. Passphrases constructed from multiple unrelated words are easier to remember and much harder for attackers to crack. Security teams should consider raising the minimum password length, for instance to 15 characters or more, and allow passwords up to 64 characters as recommended by NIST. This shift reduces the need for awkward password combinations while strengthening overall security.
Blocking Weak and Compromised Credentials
Even with longer passwords, users often choose common or weak options that are susceptible to password spraying attacks. Organizations should actively prevent weak password creation by using tools that support custom banned word lists. These lists can block terms related to usernames, display names, repeated characters, or incremental changes. Additionally, checking new passwords against databases of known compromised credentials helps ensure that breached passwords are never used in Active Directory. Stopping weak passwords at the point of creation is far more effective than addressing compromises after they occur.
Reducing Friction with Modern Policies
Frequent mandatory password resets often lead users to make only minimal changes, like incrementing a number. Policies should move away from forced expiration unless there is evidence of a compromise. Instead, tying expiration periods to password length encourages users to create stronger credentials with the reward of extended expiry. Pair this with approved password managers, which allow users to generate and store unique credentials for each system, eliminating the burden of memorization. Self-service password reset systems, secured by MFA, can drastically reduce helpdesk tickets by letting users recover accounts quickly. Clear and timely notifications about upcoming expirations further prevent frustrating lockouts and keep users compliant without disruption.
Source: BleepingComputer
