Sponsored feature It’s 2025, and credential theft is a thing of the past.
Aha, only joking.
In reality the stolen credential problem is still pitifully bad, of course. This year’s Verizon Data Breach Investigation Report shows 22% of breaches involving stolen credentials. In short, at a time when technologists want to take us to Mars and have AI offer us therapy, one in five of us are still banging digital rocks together.
Regulators are aware of this and they’re not happy. That’s why they’re doing what they do best: finger-wagging companies into taking care of the problem. Regulatory frameworks are putting a greater emphasis on identity security. PCI-DSS has strict rules on password complexity. It also has requirements on multi-factor authentication (MFA).
PCI-DSS has always been especially specific compared to other regulations. Those others, like GDPR, might not have specific requirements themselves but will often require “appropriate” or “best-practice” password controls.
Nice job you’ve got there. Shame if something happened to it
That finger-wagging can easily turn into finger-wrenching if people don’t play by the rules. The NIS2 Directive, which is the EU’s updated cybersecurity rulebook, emphasizes strong password policies. It also reserves the right to bench senior management from their duties if they’re found responsible for security screw-ups.
This regulatory outsourcing of password rules leaves companies looking for reliable guidance. In the US, NIST’s 800-63 series is a go-to for those practices.
In particular, NIST 800-63B deals with passwords. The most recent version emphasizes password length over complexity. A passphrase like “correct horse battery staple” is far better than “p@ssw0rd”.
Filter out obvious strings, though, warns NIST. Just because “May the force be with you” or your favorite Taylor Swift lyric is relatively long doesn’t make it safe.
Some regulatory bodies have also begun to emphasize length. For example PCI-DSS 4.0 upped its length requirement from seven characters to 12.
NIST also warns against password hints, which will doubtless be a relief to Sarah Palin. It’s also better not to mandate changing complex passwords or passphrases unless there’s a clear reason to do so, much to the relief of irritated office workers everywhere.
Regulators are taking MFA on board, too. NIST strongly recommends it, while NIS2 requires it “where appropriate”, which suggests it should at least be used in higher-privileged accounts.
Many companies will have problems keeping up
These are all sensible suggestions, but many organizations’ password management policies will fail to meet modern audit requirements, placing companies at risk of regulatory action.
Outdated password-herding methods will also cause problems for those wanting to secure cyber-insurance policies, or for those expecting payouts on those policies if they get hit. Darren James, senior product manager at Specops Software, warns that insurers are increasingly requiring best practices around Active Directory (AD), for example.
“If you’re handling people’s credit card data, and they find that you suffered a data breach because someone guessed your password and it didn’t meet their requirements, they won’t cover your liability,” he says. “I think it’s getting to the point now where lots of companies are taking this a lot more seriously.”
In short, traditional tools often focus on setting policies rather than monitoring effectiveness. As regulators and insurers focus the lens more closely, that will become a problem. James sees an audit visibility gap between what auditors want to see and what organizations can demonstrate.
This gap shows up in various ways. Quality of reporting is an issue, because regulators want to see documentation of password policy enforcement.
There’s also a temporal aspect to this gap. Regulators are growing increasingly partial to real-time compliance monitoring vs point-in-time assessments. After all, cyberattackers move quickly, so why should companies only offer a stop-motion view of their password security posture?
The audit visibility gap shows up when using vanilla AD, James adds. It lacks detection of already breached passwords when you’re enrolling a new one. It doesn’t monitor passwords continuously for compromised credentials, meaning that compliance departments get a point-in-time report for periodic audits at best. It also means that if an employee reuses a password originally enrolled in AD when signing up for another service, administrators won’t see if it gets breached on that other service.
Specops Password Auditor as a compliance catalyst
Specops built its business on fixing these shortcomings in AD. One way it does this is with its Password Auditor tool. This is a read-only utility that scans your AD and produces a report on its password security posture. It’s also free to download, the company points out.
The tool assesses the policies that administrators have set in AD, along with any other policies, such as those set in Specops’ own tools. It then scans the passwords set for accounts, assessing them against several criteria to produce a range of reports.
These reports highlight issues for admins to fix, including stale privileged accounts and accounts with expired or duplicated passwords.
You can also produce a compliance report that checks your policies and execution against specific guidelines, including not just those set by NIST and PCI-DSS v4, but also the UK’s National Cyber Security Centre (NCSC), the FBI’s Criminal Justice Information Services (CJIS), and France’s Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) and Commission Nationale de l’Informatique et des Libertés (CNIL). It also evaluates your passwords against the British Standards Institute and HITRUST, the latter being a cross-sector framework for privacy and security controls.
The tool delivers a simple red-amber-green assessment of each organizational password policy against these compliance standards so that organizations can easily see how well they’re doing overall.
Password Auditor goes further still, by also assessing password entropy (that is, how susceptible it is to a brute-force attack).
Some of these industry guidelines (notably NIST and NCSC) recommend that organizations check their stored credentials against a list of compromised passwords used online. This is something that you can do manually using Troy Hunt’s HaveIBeenPwned, but Password Auditor does it too, using Specops’ own database.
James says that the Specops database is “a little bit like HaveIBeenPwned, but on steroids.” Its +four billion passwords include Hunt’s data, along with data feeds from the Specops threat intelligence platform provided by Specops Software’s parent company Outpost24.
Outpost24’s threat intel includes passwords from leaked credentials in underground markets. It also includes credentials found in malware. If an infostealer pilfers your passwords and Outpost24’s crime servers spot it, it folds that information into the Specops database. Outpost24 also operates a honeypot network that registers attempted logins to decoy websites and adds those too.
Speaking the board’s language
Discussing all this information among IT and security teams is one thing, but mention entropy to your CFO and they’ll probably think you’re talking about a new series on Netflix. That’s why the tool also includes an executive summary ability that distills the relevant information for busy executives. They get a simple password security score, along with simple low-medium-high risk levels across a range of categories including breached passwords and accounts where policies don’t require a password at all.
Specops Password Policy reveals how well your passwords and policies adhere to the rules, explains James. Because it’s a read-only system and doesn’t send its data back to Specops, you can run it risk-free.
“The great thing about Password Auditor is that it will tell you who’s running a breached password. And even better, it’ll do it for free. And even better, it won’t tell us about it,” he says. “You can run it quite safely in your own air-gapped environment.”
That makes it a good tool for companies to assess how badly they need to level up their password game. James suspects that many will find a big enough gap between where they are and where regulators want them to be. Those companies can then turn to Specops for more help.
“Password Auditor is a great thing for showing you where the gaps are, but the paid-for breached password protection, which is part of Password Policy, solves the problem for you,” he says.
Mid-Cheshire Hospitals NHS Foundation jumped straight to Password Policy when it tried to get password health up to par for its 5,400 staff members. The Trust used another important feature for regulatory compliance: continuous scanning.
The Breached Password Protection feature allows a regular scan that organizations can run daily rather than just at logon. It can also force password resets, while enforcing strict policies around those new password choices.
For many regulators, password policies aren’t prix fixe so much as a la carte; the regulator might not give you a set of specific measures you must take, but will instead point you to guidelines that urge you to adopt best practices. How many of those practices you embrace, and to what extent, is up to you. It will depend on factors including your own risk profile along with the cost and effort involved.
Two things are certain, though. First, products like Password Auditor and Password Policy help to bring the cost and effort down by tackling password policies in an easy-to-manage and auditor-friendly way. Second, the more best practices you embrace, the more likely you are to land on the regulator’s good side.
Sponsored by Specops Software.