While these recommendations are specific to Windows/Active Directory and Password Firewall, the same concepts can be applied to our API customers protecting a website or app.

Password Policy settings:

• Change the AD password policy to be a single, easy to understand, policy for the whole organization
• Set a longer minimum length requirement (commonly 10 or 12 characters)
• Enforce Password History of 24 (so people cannot use a previously chosen password)
• Minimum Password Age (typically 1 day to avoid people continually changing passwords to defeat the history requirement)
• Complexity requirements disabled (use a Password Firewall feature instead)
• Maximum Password Age is increased (commonly 180 days or 1 year)  <- end-users love this!

Password Firewall settings:

• Enable Required Character Sets option (commonly 2 or 3) – this replaces the AD password complexity requirement
• Populate and use the custom blacklist feature (optional)
• Optionally also query the Pwned Passwords blacklist (in addition to the Password RBL curated blacklist)
• Enable Password Double-Check (eliminates end-users simply adding digits to the end of bad passwords)

After doing this, organizations can be confident that their employees are choosing strong passwords. Yes, users will need to update their password in 180 days or 1 year, but this is not very inconvenient and when they do, their password choice is scrutinized against blacklists again (to catch any passwords that have since been added to the blacklists).

Now, these organizations have an easy to understand password policy with a good length requirement (10+ characters), easy to meet complexity requirements, and they know that all the passwords in their Active Directory have already been scrutinized against up to 3 blacklists.  Therefore, even if the business is hit by a credential stuffing/password spray attack, which will probably happen, it will not be successful.

The post Password Policy Recommendations for 2020 appeared first on Password RBL.

When a user picks a password, it gets checked against the Active Directory password policy. If it meets the policy, then Password Firewall checks to make sure it isn’t blacklisted. If the blacklist query comes back negative (the password is not on any blacklists) then the password is allowed. This is normal behavior.

But if you enable DoubleCheck, before allowing the password choice, another check is performed. Password Firewall will drop any digit characters (0-9) from the end-user’s password choice. Then the “new” password is queried against blacklists.  If the blacklist query comes back negative this time, the password is allowed. If the blacklist query comes back positive, then we have an end-user who is choosing a known bad password, but simply adding a number or two at the end. This isn’t very secure, so Password Firewall (with DoubleCheck enabled) will make the end-user pick a new password.

Password DoubleCheck Works for Custom Blacklists and Pwned Passwords, too!

Since this process is all client-side, the DoubleCheck process works for all blacklists you are configured to query. This includes the Password RBL curated blacklist, Pwned Passwords and your own custom blacklist.

DoubleCheck makes using Custom Blacklists easier.

Enabling DoubleCheck definitely increases your security, but it also makes populating Custom Blacklists easier. Once we enable DoubleCheck, we know Password Firewall will catch any blacklisted permutations, even if they have a string of numbers at the end. So, this means that you do not need fill your custom blacklist with any permutations that end in digits! This makes generating the permutations and adding them to your custom blacklist faster and easier! Now that’s a win-win.

The post Feature Post: Password DoubleCheck appeared first on Password RBL.