When training your employees on how do you identify various attacks which of the following policies should you be sure to have and enforce select two?
Skip to main content This browser is no longer supported. Show
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Password policy recommendations for Microsoft 365 passwords
In this articleAs the admin of an organization, you're responsible for setting the password policy for users in your organization. Setting the password policy can be complicated and confusing, and this article provides recommendations to make your organization more secure against password attacks. Microsoft cloud-only accounts have a pre-defined password policy that cannot be changed. The only items you can change are the number of days until a password expires and whether or not passwords expire at all. To determine how often Microsoft 365 passwords expire in your organization, see Set password expiration policy for Microsoft 365. For more information about Microsoft 365 passwords, see: Reset passwords (article) Set an individual user's password to never expire (article) Let users reset their own passwords (article) Resend a user's password - Admin Help (article) Understanding password recommendationsGood password practices fall into a few broad categories:
Password guidelines for administratorsThe primary goal of a more secure password system is password diversity. You want your password policy to contain lots of different and hard to guess passwords. Here are a few recommendations for keeping your organization as secure as possible.
Password guidance for your usersHere's some password guidance for users in your organization. Make sure to let your users know about these recommendations and enforce the recommended password policies at the organizational level.
Some common approaches and their negative impactsThese are some of the most commonly used password management practices, but research warns us about the negative impacts of them. Password expiration requirements for usersPassword expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them. Check out Time to rethink mandatory password changes for more info. Minimum password length requirementsTo encourage users to think about a unique password, we recommend keeping a reasonable 14-character minimum length requirement. Requiring the use of multiple character setsPassword complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good. Most systems enforce some level of password complexity requirements. For example, passwords need characters from all three of the following categories:
Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. Cybercriminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords. Successful PatternsIn contrast, here are some recommendations in encouraging password diversity. Ban common passwordsThe most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. Common user passwords include: abcdefg, password, monkey. Educate users to not reuse organization passwords anywhere elseOne of the most important messages to get across to users in your organization is to not reuse their organization password anywhere else. The use of organization passwords in external websites greatly increases the likelihood that cybercriminals will compromise these passwords. Enforce Multi-Factor Authentication registrationMake sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. It also provides an out of band notification channel in the case of security events such as login attempts or changed passwords. To learn more, see Set up multi-factor authentication. Enable risk-based multi-factor authenticationRisk-based multi-factor authentication ensures that when our system detects suspicious activity, it can challenge the user to ensure that they are the legitimate account owner. Next stepsWant to know more about managing passwords? Here is some recommended reading:
Related contentReset passwords (article) FeedbackSubmit and view feedback for When training your employees on how do you identify various attacks which of the following policies?When training your employees on how to identify various attacks, which of the following policies should you be sure to have and enforce? (Select two.) EXPLANATION Be sure to have an effective password policy and clean desk policy in place, and don't forget to enforce them.
Which of the following items would be implemented at the data layer of the security model group policies auditing authentication cryptography?Which of the following items would be implemented at the Data layer of the security model? Cryptography is implemented at the Data layer. Authentication, authorization, and group policies are implemented at the Application layer.
Which of the following are often identified as the three main goals of security select three?Confidentiality, integrity and availability together are considered the three most important concepts within information security. Considering these three principles together within the framework of the "triad" can help guide the development of security policies for organizations.
What's the first step in performing a security risk assessment?Download this entire guide for FREE now!. Step 1: Determine the scope of the risk assessment. ... . Step 2: How to identify cybersecurity risks. ... . Step 3: Analyze risks and determine potential impact. ... . Step 4: Determine and prioritize risks. ... . Step 5: Document all risks.. |