Security News > 2020 > October > How to plan a password security project

A security company wedded to the back to basics approach on this is password and authentication specialist Specops, which recommends starting with an audit using the company's Password Auditor, a Windows Active Directory tool which can be downloaded free of charge to generate a risk score report.

Without making any changes, the tool analyses the AD password policies it finds, checking a range of attributes such as length, password rules such as minimum length, lockout policy, password age, how many have expired, and how a policy compares to industry best practice.

Most usefully of all, it compares the user password hashes it finds to a Specops database containing 738 million password hashes drawn from an even larger collection the company has gathered from leaked passwords on the Internet.

"Password1! is a perfectly secure password according to those complexity rules. You can tell people what the password policy is but using standard AD tools there is zero way of enforcing it."

"The death of the password has been predicted for the last 20 years yet we're still having this conversation today. The password remains the simplest and cheapest way a programmer can identify a user."

News URL

https://go.theregister.com/feed/www.theregister.com/2020/10/30/plan_a_password_security_project/