Reading time:
6 min

Are You Securing Passwords All Wrong? Risk-Based Password Management is the New Best Practice

secure password management

secure password managementYou Know the drill, every 90 days IT issues a mandate to change your password. And you better make it complex. You know, uppercase numbers and crazy special symbols — the kind of password that Einstein would struggle to remember. That causes a lot of problems. End users are frustrated by the process and end up with myriad passwords for myriad accounts — few of which they can recollect. So what do they do? They write them down somewhere. Too often on a post-it note that they stick right on their monitor. And you call this password security.

NIST, Microsoft and CIS all saw this problem and it’s a big one. Passwords are perhaps the biggest way hackers breach your network.

The new approach is to get off that treadmill of changing passwords all the time. Instead, only change your password when there is a need — and that need is a risk event. This could be a breach, a hacker incursion, or some other incident that makes the security team nervous. Quite often it is an event specific to an end user, such as an attempt to log on to their account.

With Office 365, you hopefully have alerts that let you know when these events occur. This is when passwords should be changed and changed quickly. For major events it might even make sense to lock down some user’s accounts until they have updated their passwords.

Why Risk-Based Password Management?

This new approach runs contrary to years of password management best practices.  “While this is not the most intuitive recommendation, research has found that when periodic password resets are enforced, passwords become weaker as users tend to pick something weaker and then use a pattern of it for rotation. If a user creates a strong password: long, complex and without any pragmatic words present, it should remain just as strong is 60 days as it is today. It is Microsoft’s official security position to not expire passwords periodically without a specific reason,” CIS advised.

Being forced to change passwords also leads users to take shortcuts. “The industry that forces users to do this winds up driving them to think, ‘I’ve got to be able to remember my passwords to do my job. I’m going to make it the first name of one of my kids, capitalize the first letter, and put the number sign 1 at the end of it. Then, when bad old IT comes along and makes me change it, I’m going to make it number sign 2, and number sign 3, and so forth.’ The bad guys have figured out that we’re all doing this, and it’s turned out to not be an effective approach, from an identity protection perspective,” explained Matt Smith, CoreView solutions architect.

This new way is a better way – for both security and end user sanity. “Microsoft’s recommendations are based on risk, to reset passwords and clear user sessions. One trigger is if you show up on some of their advanced security reports for having risky behavior, such as impossible travel. Perhaps you logged in at noon in New York City, and two hours later, logged in in London. Well, the Concord’s not flying right now, so that’s impossible for you to have logged in physically from New York and London just two hours apart,” Smith said.

Embracing Risk-Based Password Management

While risk or event-based password changes are a great idea, execution isn’t so easy. “What CoreView has, which is completely unique in the industry, is we know that you’re on that risk report, and we can schedule the changes: Since you’re on it, I’m going to wipe your user session. In other words, log you out of all your applications. I’m going to reset your password. I’m going to notify the help desk, and I’m going to notify IT security that Joe User was on a high-risk report for impossible travel, and please check A, B, and C before you re-initialize his account,’” Smith explained.

CIS Microsoft 365 Benchmarks Lays It All Out

The Center for Internet Security (CIS) released extensive benchmarks for M365 security, CIS Office 365 Security Benchmarks, and here advises that IT ensure through policies and processes that passwords are never set to expire.

CIS advises IT to “Review the password expiration policy, to ensure that user passwords in Office 365 are not set to expire.” The rationale? “NIST has updated their password policy recommendations to not arbitrarily require users to change their passwords after a specific amount of time, unless there is evidence that the password is compromised, or the user forgot it. They suggest this even for single factor (Password Only) use cases, with a reasoning that forcing arbitrary password changes on users actually make the passwords less secure.”

Don’t Forget MFA

Complex passwords are all well and good, but are not nearly as effective as strong authentication, CIS argues. “Other recommendations within this Benchmark suggest the use of MFA authentication for at critical accounts (at minimum), which makes password expiration even less useful as well as password protection for Azure AD,” CIS outlined. Mobile devices should likewise be set so passwords never expire, CIS adds.

The CoreView Password Answer

CoreView protects passwords by enforcing multi-factor authentication, identifying and alerting IT to risk events both across the tenant and specific to end users, helping IT alert users to reset their passwords — and best of all has an automated workflow to pause the account and force a password reset.

In the case of a risk event, CoreView can protect the password through a reset and strengthen authentication by enforcing MFA measures.

“IT should enable risk-based multi-factor authentication activation. If I find you’re at risk, I’m going to actually make you authenticate. CoreView takes this a step further, which is part of our workflow. IT can wipe user sessions. In other words, make the end user log out of every application. Because a user token is good for eight hours by default, should IT allow the user to keep pounding on it for eight hours? No, IT should log them out right now, because they showed up on one of the high-risk reports. And admin can block the account and notify IT security and the help desk that before they enable the account to do steps A, B and C because you showed up on an impossible travel report or on a malware on a device report, something like that,” Smith explained.


Get your O365 security profile FREE with our new CoreDiscovery solution. You can get your free software now at the CoreDiscovery sign up page:

Or sign up for a personalized CoreView demo.

See how CoreView can help you with this

Learn more about securing and optimizing your M365 and other SaaS applications.