# Password & Authenticator Policy (Draft) **Document owner:** [Owner/Role] **Approved by:** [Steering Committee / CISO] **Effective date:** [YYYY-MM-DD] **Review cadence:** [Annually] --- ## 1) Purpose & scope This policy defines requirements for passwords and related authenticator handling for all users and service accounts accessing [Organization] Microsoft 365, Active Directory (AD), and connected systems. --- ## 2) Roles & responsibilities - **CISO / Security:** Owns this policy, maintains blocklists, monitors compliance. - **IT / IAM:** Implements enforcement in Microsoft Entra ID (Azure AD), on-prem AD, and Microsoft 365 services. - **System Owners:** Ensure integrated apps follow this policy. - **All Users:** Must comply with requirements. --- ## 3) Password requirements (human users) 1. **Length** - **15+ characters** if used as single-factor (per NIST SP 800-63B). - **8+ characters** if MFA is enforced. - Systems should allow up to **64 characters** and support ASCII, spaces, and Unicode. 2. **No composition rules** - Do not require complexity like upper/lower/symbol/number. Focus on **length + blocklist checks**. 3. **Blocklist screening** - Enforce via **Azure AD Password Protection** to block common, weak, or breached passwords. - Screen against organization-specific terms (e.g., company name). 4. **Expiration** - No scheduled expiration unless compromise is suspected. - Incident-driven reset is mandatory. 5. **Usability** - Allow copy/paste and password managers. - Provide “show password” toggle. - Disable hints and security questions. 6. **CIS Controls alignment** - CIS Control 5: unique accounts, disable dormant accounts (≥45 days). - CIS Control 6: enforce access control with MFA. --- ## 4) Multi-factor authentication (MFA) - **Mandatory MFA** for: Microsoft 365, VPN/remote access, privileged AD accounts, email, SaaS with sensitive data. - Use **Microsoft Authenticator** push or **FIDO2 security keys** as preferred methods. - SMS/voice allowed only as fallback. --- ## 5) Rate limiting & lockout - Use **Azure AD smart lockout**: - Default: lock after 10 failed attempts, 1-minute auto-unlock (configurable). - Avoid permanent lockouts to prevent DoS. --- ## 6) Storage & transmission - All AD/M365 authentication happens over **TLS**. - Passwords stored as **salted, hashed verifiers** (NTLMv2/Kerberos with AES). - Domain controllers must disable **NTLMv1** and LM hashes. - Use **Argon2id/bcrypt** if custom apps store passwords. --- ## 7) Password creation guidance - Encourage passphrases (e.g., multiple random words). - Recommend password manager integration with M365 (Edge/Outlook support). - Discourage personal info and patterns. --- ## 8) Resets & recovery - Self-service password reset (SSPR) in Azure AD with MFA verification. - No KBA/security questions. - After compromise, force change and revoke tokens. --- ## 9) Administrative accounts - Separate admin accounts from daily-use accounts. - Enforce MFA on all admin accounts (Azure AD Conditional Access). - Monitor via **Privileged Identity Management (PIM)** with just-in-time access. - No shared admin passwords. Break-glass accounts must be vaulted, monitored, and MFA-enabled. --- ## 10) Service, API, and machine accounts - Use **Managed Service Accounts (MSA/gMSA)** in AD. - For cloud, prefer **Managed Identities** in Azure. - If secrets required: - 30+ chars random secret. - Store in **Azure Key Vault**. - Automate rotation. - No interactive login. --- ## 11) Application integration requirements Apps authenticating against AD or Entra ID must: - Support required password lengths and blocklist checks. - Allow paste/autofill, no hints, no truncation. - Store verifiers with modern hashing if not using directory federation. --- ## 12) Hardening checklist (Microsoft 365 + AD) - ✅ Enforce MFA with **Conditional Access**. - ✅ Enable **Azure AD Password Protection** with custom banned-password list. - ✅ Configure **smart lockout**. - ✅ Enable **PIM** for admin accounts. - ✅ Disable **legacy auth protocols** (POP, IMAP, SMTP Basic, NTLMv1). - ✅ Review dormant accounts quarterly (disable after 45 days). - ✅ Require TLS 1.2+ for all endpoints. - ✅ Audit password changes and lockout events. --- ## 13) Exceptions - Documented need, CISO approval, compensating controls, and review date. --- ## 14) References - **NIST SP 800-63B, Digital Identity Guidelines (2023 update)** - **CIS Controls v8.1** (Controls 5 & 6) - **Microsoft Security Baselines (Windows, AD, M365)** - **OWASP Authentication Cheat Sheet**