Over the past few years, network security has become a top priority for most companies. One of the first steps businesses would take to secure data stored in the cloud has been developing their password strategy, while password expiration policies used to be the industry’s go-to strategy.
Office 365 service suite has been no exception. Once every few months, Office 365 would ask users to update their passwords, as a part of the Office 365 password expiration policy. Therefore, passwords would be changed often, limiting the risks of leaks and using an obvious password. But it’s worth asking ourselves, considering the technological advances of these past few years, are password expiration systems still relevant?
The cybersecurity field itself has been closely looking at the question lately. This was heightened when the Microsoft security team went public with their decision to drop their password expiration policies. Their reasoning stated that by forcing users to change credentials too often, people would use simpler and simpler passwords, making them easy to predict and hack.
Their main argument was that password expiration policies as a whole drove people (both end-users and professionals) to bad password habits rather than making organizations safer. People already tend to pick easy and predictable passwords. Adding a layer of pressure by forcing them to change frequently would make them even easier to guess or hack since it translated into merely adding a one, two, or three sequential type passwords.
The Office 365 password policy requires users to choose a password with enough complexity to be considered safe. The policy consists of three primary elements as follows:
Through Azure AD Password Protection, Microsoft provides dictionary capabilities to passwords. This feature is only available for customers that have chosen the Azure AD Premium subscription. There are two layers to the Microsoft solution:
As we have mentioned, Office 365 user passwords are set to expire by default. You will be notified that your password has expired when you sign in.
When changing your Office 365 password, the following guidelines should be taken into consideration:
1. The new password needs to have a minimum of 8 characters and should not exceed 256 characters
2. It should comprise at least 3 of the following:
There are certain circumstances that require you to change your password. Here is when:
Regardless of the reason that has determined you to change it, select a new password that is totally unrelated to the old one and do not use a password from another account.
What are the steps you need to make if you forgot your password?
The Azure Active Directory (Azure AD) Self-service password reset (SSPR) feature provides users the ability to change or reset their password without an administrator’s involvement.
For the self-service password reset to work, users need to have verification methods predefined. Some of these methods might not be available, depending on how the administrator has set up your company’s account. You can reset your password using:
Note that administrators are not allowed to use security questions for resetting their passwords, so they will not see these options.
Here are the steps users need to take for setting the verification methods:
Now, in case a user’s account is locked, or you just forgot your password, all you need to do is follow a few steps to reset the password. Here are the steps:
Office 365 administrators are enabled for a self-service password reset by default, while the password reset always requires a two-gate password policy. If you are an admin and you have forgotten your password, you can follow Forgot my password steps described above. In case you are not able to sign in, you can ask a different global admin from your organization to reset your password or call Microsoft Support.
If you use hybrid AD environment, and the self-service password reset and password writeback options are enabled, the user can change the password on his own whether it’s from the cloud or from the on-prem AD. If a user can’t change his own password for some reason, AD or Azure AD admin can create him a temporary password. If password writeback is not enabled, user or admin can only change the password in on-prem environment.
Here is a list of useful recommendations that you can implement within your enterprise to foster password diversity.
Such passwords come in all shapes and sizes and are still surprisingly commonly used. This should be your primary requirement when users create their passwords because they’re the most sensitive to brute force attacks. Common user passwords include series like abcdefg, password, monkey, or qwerty.
It is human to want to re-use the same passwords for different sorts of credentials, especially once you’ve stumbled onto a secure one that you can easily remember. However, this is one of the most important messages to get across your business. Using organization passwords on external websites significantly increases the likelihood that cybercriminals will compromise these passwords.
Start by ensuring that your users keep their contact and security information up to date (such as an alternate email address, a new phone number, or a device registered for push notifications); you can add a layer of security to any login. Encouraging, or even enforcing, multi-factor authentication will allow your users to quickly respond to security challenges and be notified of security events.
When implementing multi-factor authentication technology, the user needs to provide two or more different types of proofs of control associated with a specific digital identity; ensuring that they are the legitimate account owner.
Not only does this help users verify their identity if they ever forget their password, but it also ensures an extra step of difficulty if someone else tries to take over their account. Finally, it even provides an out-of-band notification channel in the case of security events such as login attempts or changed passwords. To learn more, read about how to set up multi-factor authentication.
Conditional Access is a feature of Azure Active Directory that provides admins the option to easily assign a policy across Office 365. Conditional Access policies are actually if-then statements. Whenever a user wants to access a resource, they have to complete an action. However, not all applications require the same level of security. Let’s consider the example of a payroll manager that has to access the payroll application and a company’s employer working in the cafeteria. The first one could be required MFA while the latest will not need to take any additional security steps.
There are a few goals to keep in mind when trying to think of a new password:
Office 365 accounts have a default password expiration policy of 90 days. If you want your users never to have to reset their passwords, you need to change Password expiration policy. Although you can set passwords to expire, it’s not recommended to do so because, as said before, it does far more harm than good and actually increases your risk exposure.
You can manage the password expiration policy via the Office 365 admin web interface. Here’s how:
The Office 365 Admin Portal allows you to control the Global Password Policy for users; this means that you can select whether passwords expire, the days before passwords expire, and the days before a user is notified about the expiration.
Setting a Global Password Policy has many advantages, from security to in-house procedures. However, Microsoft won’t allow you to exclude a specific user from the Global Policy; for this, you’ll need an external tool. Think, for example, if you want to ensure a user retains its password when used as a connector for an application: in case the password expires, the connection will be disrupted, and the application might stop working. This is how to disable password expiration for a single user:
Now, the password for that single user will never expire. You should be warned that the existing password’s age remains; this means that should you re-enable expiration at 90 days, any password that is 90 or more days old will have a password reset enforcement.
If you are looking to find out the status of user passwords and whether they are set to expire, you should use the following command:
Note that people who only use the Outlook app won’t be required to change their Microsoft 365 password until it has also expired in the cache, which can often turn out to be a couple of days after the actual expiration date. As of now, there’s no workaround for this at the admin level.
If users are synchronized from the on-premises AD to the Azure AD, you can prevent them from recycling old passwords by enforcing password history in on-premises AD. For Azure AD cloud-only users, the last password can’t be used again when the user changes it. This is a default policy that can’t be changed, and is applied to all cloud-only user accounts .
With Syskit Point, you can audit admin activities such as policy or settings changes in the Exchange admin center. You’ll also be able to troubleshoot configuration issues and identify causes of security or compliance problems by performing security assessments of user logins. As a result, you will no longer have to worry about complying with regulatory policies such as HIPAA, GDPR, or FISMA.
By collecting important Office 365 audit logs, Syskit Point can display every permission, content, or configuration change in a simple and manageable way. It can help you boost security, stay compliant with governance policies, and detect malicious behavior thanks to audit reports. Exchange audit logs will also help you track Exchange Online admin and user activities.