I get asked for this all the time. Customers ask for the “Best Practices” for really complex subjects, sharing settings, site structure, things where, as a consultant, my answer almost always has to be ...“It depends.”   Complex subjects are very hard to apply best practices to, and the way that you know you are about to wander into that territory is when you find yourself asking  someone “What do most organizations do?”

You don’t work for most organizations, you work for yours. The question is really “What do most organizations like us do?” Unfortunately you won’t always be able to find someone who has experience with the policies and procedures of one of the top five makers of manufactured homes in the Pacific Northwest, or whatever label describes your organization and its needs. You have to look at what you need and build from there.

So what are best practices good for? Basics items that are the backbone of your processes. There are a lot of policies and procedures that people have created over time based on little more than rumor and intuition, but as time has passed some of those things have been examined and the best ways of implementing them have researched in detail.  I hope to write a series exploring exactly those kinds of things.

Passwords

We have all seen the password requirements on dozens of websites.  (Let me take a moment here to say my article is targeting primarily English speaking users. Websites that focus on other languages usually use rules that are similar in their substance, with different characters)

Passwords should contain:

• a minimum of 1 lower case letter [a-z] and
• a minimum of 1 upper case letter [A-Z] and
• a minimum of 1 numeric character [0-9] and
• a minimum of 1 special character: ~`!@#$%^&*()-_+={}[]|\;:"<>,./?
• A minimum of 8 characters

Passwords should NOT contain:

The user’s name or login, the {organization}’s name, the word password, the user’s birthday or that of their spouse or children, or common number strings like 123 or 321.

Password resets will happen every 30 days.

[SPOILER: Most of the above requirements are not very helpful]

To which we reply…

P@$$word1

or

$tephenlz3

Then in 30 days

S+ephenI2E

etc.

People react to restrictions in somewhat predictable ways. Microsoft has a helpful and well researched white-paper here.  If you don’t want to  read the whole thing here is the summary of the recommendations.

Advice to IT Administrators

1. Maintain an 8-character minimum length requirement (and longer is not necessarily better).

2. Eliminate character-composition requirements.

3. Eliminate mandatory periodic password resets for user accounts.

4. Ban common passwords, to keep the most vulnerable passwords out of your system.

5. Educate your users not to re-use their password for non-work-related purposes.

6. Enforce registration for multi-factor authentication.

7. Enable risk based multi-factor authentication challenges.

Advice to Users

Create a unique password for your Microsoft account

The security of your Microsoft account is important for several reasons. Personal, sensitive information may be associated with your account such as your emails, contacts, and photos. In addition, other services may rely on your email address to verify your identity. If someone gains access to your email, they may be able to take over your other accounts too (like banking and online shopping) by resetting your passwords by email.

Tips for creating a strong and unique password:

• Don’t use a password that is the same or similar to one you use on any other website. A cybercriminal who can break into that website can steal your password from it and use it to steal your Microsoft account.
• Don’t use a single word (e.g. “princess”) or a commonly-used phrase (e.g. “Iloveyou”). 
• Do make your password hard to guess even by those who know a lot about you (such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use).

If  you have been in IT for a while you may be smiling to yourself and thinking “correct horse battery staple” as made famous by the funny and excellent cartoons of xkcd.com

There is some truth here, but in the end research shows that even passwords like those above are difficult for the average user to remember.

The MS user recommendations are similar to the ones we already discussed (8-character limit, don’t use names and birthdays, etc.)  but the de-emphasis on hard limitations and advising caution leaves a user more flexibility. For  administrators, the research  acknowledges that passwords are fundamentally flawed as a security mechanism. Multi-factor authentication is better, and multi-factor authentication that also looks for risky behavior (as provided by things like Microsoft Cloud App Security) is better still.  For example if you logged from New York at 11:13AM and 20 minutes later tried to login from an IP address in Gdańsk Poland.  This is possible in a world of VPNs and remote sessions, but it is worth asking more questions.

Microsoft and others are working on a “password-less”  future (if you are looking for more information there is another white-paper here) but the kinks are not entirely worked out with regard to SSO and integration with other systems. For now, in production, it is likely that mature organizations will be more capable of sticking with the more thoughtful password recommendations and multi-factor authentication  . If you are a small organization that is just getting started with Microsoft 365, you may want to take a serious look at the password-less option.

What is Multi-Factor authentication? At its core, it is just a user presenting at least 2 forms of proof when authenticating.  “I am Stephen, as proof that I am Stephen here is the password I have been given/chosen  (the first factor is usually something the user knows) and this is the code supplied by a device I carry (usually an SMS message or code from a device or app the user has in their possession)”. Another common factor used for MFA is something the user IS, a location, a fingerprint, an eye scan, etc. Something the user knows, something the user has in their possession, and something the user is. These are the common “factors” utilized for authentication.

I let you get all this way for a pretty simple best practice recommendation. Enable multi-factor authentication where it makes sense (often this is any user that is outside of your local network) and review your password policies.  

MFA comes in a few flavors. Sending an SMS to the user’s mobile phone number is probably the easiest version to implement, because you only need a user’s mobile phone number capable of receiving SMS messages.  SMS messages are not completely secure, and the  NIST notes several ways they may be problematic,  but even this step will probably reduce the chances of your user’s credentials being stolen by 75-80%.  More secure options, especially for your privileged users (IT, Executives, etc.) , are encouraged. Microsoft’s Authenticator App and FIDO2 keys are good places to start. 

If you aren’t sure how to enable MFA in Microsoft 365, watch this space and I will add blogs with more details about that process, but now is a good time to evaluate what you currently have in place and plan for a change.  MFA exceptions should be made more for logical reasons than convenience. Production floor workers may switch devices often and have limited access to devices like phones and hardware keys. If they only have basic accounts that are restricted to that location complex MFA may be logistically difficult for little benefit, but you do have two factors, a location and a password. If those users try to access their account outside of the production facility, their authentication would fail. Executives and highly privileged technical workers should  have more complex MFA enabled even on the local network to prevent escalation or lateral attacks from bad actors that have found a way into your network. 

Best practices are building blocks, not blanket solutions. Their application is always subject to scrutiny and adjustment. Authentication is the entryway into everything you do in your Information Technology systems (or should be). Proper management of authentication (and the accounts in your systems, probably another blog) helps to maintain security and accountability for everything you do. In the overall structure of best practices, we have just covered the doorknob and locks. It is a small, but important step.