Which of the following password policies defines the number of previous passwords that Cannot be reused when resetting a users password?

A strong password policy is any organization’s first line of defense against intruders. In Microsoft Active Directory, you can use Group Policy to enforce and control many different password requirements, such as complexity, length and lifetime.

TThe default domain password policy is located in the following Group Policy object (GPO): Computer configuration -> Policies -> Windows Settings ->Security Settings -> Account Policies -> Password Policy

Starting from Windows Server 2008 domain functional level, you can define fine-grained policies for different organizational units using the Active Directory Administrative Center (DSAC) or PowerShell. 

NIST password guidelines

The National Institute of Standards and Technology (NIST) offers Digital Identity Guidelines for a sound password policy, including the following recommendations:

Password complexity and length

Many organizations require passwords to include a variety of symbols, such as at least one number, both uppercase and lowercase letters, and one or more special characters. However, the benefit of these rules is not nearly as significant as expected, and they make passwords much harder for users to remember and type. 

Password length, on the other hand, has been found to be a primary factor in password strength. Accordingly, NIST recommends encouraging users to choose long passwords or passphrases of up to 64 characters (including spaces).

Password age

Previous NIST guidelines recommended forcing users to change passwords every 90 days (180 days for passphrases). However, changing passwords too often irritates users and usually makes them reuse old passwords or use simple patterns, which hurts your information security posture. While strategies to prevent password reuse can be implemented, users will still find creative ways around them.

Therefore, the current NIST recommendation on maximum password age is to ask employees to create a new password only in the case of a potential threat or suspected unauthorized access.

Passwords especially susceptible to brute force attacks

It’s wise to use discourage or prohibit the following passwords:

• Easy-to-guess passwords, especially the phrase "password"
• A string of numbers or letters like “1234” or “abcd”
• A string of characters appearing sequentially on the keyboard, like “@#$%^&”
• A user’s given name, the name of a spouse or partner, or other names
• The user’s phone number or license plate number, anybody’s birth date, or other information easily obtained about a user (e.g., address or alma mater)
• The same character typed multiple times like “zzzzzz”
• Words that can be found in a dictionary
• Default or suggested passwords, even if they seem strong
• Usernames or host names used as passwords
• Any of the above followed or preceded by a single digit
• Passwords that form pattern by incrementing a number or character at the beginning or end

Best practices for password policy

Administrators should be sure to:

• Configure a minimum password length.
• Enforce password history policy with at least 10 previous passwords remembered.
• Set a minimum password age of 3 days.
• Enable the setting that requires passwords to meet complexity requirements. This setting can be disabled for passphrases but it is not recommended.
• Reset local admin passwords every 180 days. This can be done with the free Netwrix Bulk Password Reset tool.
• Reset service account passwords once a year during maintenance.
• For domain admin accounts, use strong passphrases with a minimum of 15 characters.
• Track all password changes using a solution such as Netwrix Auditor for Active Directory.
• Create email notifications for password expiration. This can be done with the free Netwrix Password Expiration Notifier tool.
• Instead of editing the default settings in domain policy, it is recommended to create granular password policies and link them to specific organizational units.

Additional password and authentication best practices

• Enterprise applications must support authentication of individual user accounts, not groups.
• Enterprise applications must protect stored and transferred passwords with encryption to ensure hackers won’t crack them.
• Users (and applications) must not store passwords in clear text or in any easily reversible form, and must not transmit passwords in clear text over the network.
• Use multi-factor authentication (MFA) whenever possible to mitigate the security risks of stolen and mishandled passwords.
• When employees leave the organization, change the passwords for their accounts.
• Reduce user frustration and helpdesk workload by helping users choose new passwords that meet requirements, proactively reminding them of impending password expiration, and allowing them to change their password in a web browser.

User education 

In addition, be sure to educate your users about the following:

• It is vital to remember your password without writing it down somewhere, so choose a strong password or passphrase that you will easily remember. If you have a lot of different passwords, you can use a password management tool, but you must choose a strong master key and remember it.
• Be aware of how passwords are sent across the internet. URLs (web addresses) that begin with “https://” rather than “http://” are more likely to be secure for use of your password.
• If you suspect that someone else may know your current password, change it immediately.
• Don’t type your password while anyone is watching.
• Avoid using the same password for multiple websites containing sensitive information.

In complex environments, it is recommended to enforce granular password policies for both regular and privileged users so that IT administrators can quickly respond to new requirements and minimize the risks of compromises due to weak or stolen passwords. Netwrix Password Policy Enforcer software empowers admins to easily enforce strong password policies and significantly reduces policy management workload on tech staff. 

Regular audits also can help you ensure your password policies are protecting your systems against attacks. Events related to Windows Server password policy are recorded in the Security Event Log on the default domain controller. By reviewing these logs, system administrators can determine who made changes to password policy settings, and when and where (on what domain controller) each change happened. For additional important tips on auditing password policy GPOs, see the Active Directory Group Policy Auditing Quick Reference Guide.

However, native auditing tools won’t show you the most critical details, such as the name of the Group Policy object in which password policy was changed and the type of action that was performed. Moreover, it’s nearly impossible to understand which policies apply to which groups and identify discrepancies. For effective password policy management, you need software that provides more insight into password policy modifications, such as Netwrix Auditor for Active Directory.

We all know that a strong password policy is the front line of defense to protect our financial transactions, personal communications and private information stored online. For end-users, using a strong password at work is as important as it is at home, it is your own personal bodyguard defending you with everything he has against serious security threats, scammers and hackers. That’s when the system administrator comes in to makes sure that proper rules and policies are in place to help you alleviate that burden.

Most users understand the nature of security risks related to easy-to-guess passwords, but become frustrated when dealing with unfamiliar criteria or trying to remember 30 different passwords for their multiple accounts. That is why system administrators now play a major role in making sure that each user is well aware of the security risks they face every day. To achieve that, they need strong password policies and best practices.

Password policies are a set of rules which were created to increase computer security by encouraging users to create reliable, secure passwords and then store and utilize them properly.

Here are some of the password policies and best practices that every system administrator should implement:

1. Enforce Password History policy

The Enforce Password History policy will set how often an old password can be reused. It should be implemented with a minimum of 10 previous passwords remembered. This policy will discourage users from reusing a previous password, thus preventing them from alternating between several common passwords. Some tech-savvy users might try to work around the Enforce Password History policy, to prevent that from happening use the Minimum Password Age policy.

2. Minimum Password Age policy

This policy determines how long users must keep a password before they can change it. The Minimum Password Age will prevent a user from dodging the password system by using a new password and then changing it back to their old one. To prevent this, the specific minimum age should be set from three to seven days, making sure that users are less prone to switch back to an old password, but are still able to change it in a reasonable amount of time. As a system administrator you must keep in mind that this policy could also prevent a user from immediately changing a compromised password, so if the user can’t change it, it will be up to you to make the change.

3. Maximum Password Age policy

The Maximum Password Age policy determines how long users can keep a password before they are required to change it. This policy forces the user to change their passwords regularly. To ensure a network’s security you should set the value to 90 days for passwords and 180 days for passphrases.

4. Minimum Password Length policy

This policy determines the minimum number of characters needed to create a password. You would generally want to set the Minimum Password Length to at least eight characters since long passwords are harder to crack than short ones. For even greater security, you could set the minimum password length to 14 characters. A word of advice: if you haven’t changed the default setting, you should change it immediately since sometimes the default is set to zero characters, meaning that it allows empty passwords.

5. Passwords Must Meet Complexity Requirements policy

By enabling the Passwords Must Meet Complexity Requirements policy, you’ll go beyond the basic password and account policies and ensure that every password is secured following these guidelines:

• Passwords can’t contain the user name or parts of the user’s full name, such as their first name.
• Passwords must use at least three of the four available character types: lowercase letters, uppercase letters, numbers, and symbols.

6. Reset Password

The local administrator password should be reset every 180 days for greater security and the service account password should be reset at least once a year during maintenance time.

***7.***Use Strong Passphrases

Strong passphrases with a minimum of 15 characters should always be used to protect domain administrator accounts. While passwords and passphrases serve the same purpose, passwords are usually short, hard to remember and easy to crack, while passphrases are easier to remember and type but much harder to crack due to length.

8. Password Audit policy

Enabling the Password Audit policy allows you to track all password changes. By monitoring the modifications that are made it is easier to track potential security problems. This helps to ensure user accountability and provides evidence in the event of a security breach.

9. E-Mail Notifications

Create e-mail notifications prior to password expiry to remind your users when it’s time to change their passwords before they actually expire.

10. Store Password Using Reversible Encryption for All Users policy

I’ll start by saying that this policy should only be enabled on a per-user basis and then only to meet the user’s actual needs. As you all know, passwords in the password database are all encrypted and this encryption can’t normally be reversed. If your company uses an application that needs to read a password, then that is the only time you would want to enable this setting. Keep in mind that when enabling the Store Password Using Reversible Encryption for All Users policy, it’s like your passwords are stored as plain text, representing the same security risks. Always be cautious when enabling that policy.

Conclusion

We can’t emphasize enough the importance of educating your users on how to manage their strong passwords. Passwords are only one piece of the security puzzle. To keep your user accounts safe, it takes both an exhaustive process for a strong password and an easy to use password management solution, like Devolutions Server, to store and safeguard all those passwords. Never forget that a chain is only as strong as its weakest link.