Last Day! Get an iPad (32G), Galaxy Tab A, or $250 Off with Online Training! Dont Miss Out!

SANS Security Insights

Active Directory Password Policies & NIST Password Standards

by Josh Horwitz, Chief Operating Officer, Enzoic

NIST password standards balance employee-friendly password policies with improved security. While NIST introduced these password standards in 2017, many organizations are just now getting around to adopting them in Active Directory. As they do so, organizations are embracing tools to automate screening of exposed passwords and password policy enforcement to simplify their AD implementations without creating a lot of additional burden on the IT team.

In our recent posting on NIST standard 800-63B, we developed the following critical screening elements to implement in enterprise AD policies:

1. Can You Prohibit Commonly-Used Passwords?

Many employees use weak, common passwords that are easy to guess, so automated password screening should start with preventing commonly-used passwords. Advise employees to pair words with other words, special characters, and numbers, with appropriate character lengths. Additionally, organizations should block repetitive characters or sequential characters.

2. Can You Block Similar Passwords?

Most employees will also reuse passwords in the form of a root password that is changed with a few characters. If your password is recently exposed online from another site, an attacker will use patterns of that password. With password-similarity blocking, new passwords are screened by similarity to a former password and organizations can require enough differences to make the root password safe again.

3. Can You Filter Expected Passwords?

Often employees will use a root password and replace alpha characters with numeric characters. The screening process should include fuzzy password matching checks for multiple variants of the password, including case sensitivity as well as expected substitutions such as leetspeak and password reversing.

4. Can You Prevent Use of Context-Specific Passwords?

Criminals will also attempt to use context-specific passwords to gain access to Active Directory accounts. For example, they know that many employees will include their company or product name in their passwords. To combat this, companies need the ability to create a custom password dictionary and filter against that dictionary, as well. Organizations should be able to add custom local passwords that will be screened and blocked at creation. Custom passwords should be partially matched and case insensitive, so any password that includes that word would be blocked.

5. Can You Continuously Monitor for Exposed Passwords?

According to Last Pass, the average person reuses each password as many as 13 times. Cybercriminals prey upon the vulnerabilities caused by password reuse. IT and Security teams are fighting back with screening for compromised passwords. If an organization only uses old password blacklists, they are giving attackers a much larger attack window to take over an employee account. NIST password guidelines recommend continuous password screening to help catch passwords being reused and shrink this attack vector.

6. Do You Have Automation to Reduce the Burden on IT?

Organizations need quick-to-deploy password policy enforcement and daily exposed password screening that is automated to reduce any additional workload on the IT team. Automation allows the IT team to set up the password policies and then just let them run. When an existing password becomes vulnerable, the remediation steps are automated instead of manual. Automated responses should be customizable so the organization can select the appropriate automated action-ranging from prompting the user to change their password to disabling the account. These remediation steps can be set to kick-in immediately or after a predetermined delay.


To enable NIST password requirements quickly and easily, organizations need to fully automate password screening for commonly-used, expected, and compromised passwords. It will increase security without adding a lot of additional friction for the end users and not add a lot of additional burden to the IT team.

To learn more, read this white paper: Automate Password Policy Enforcement & NIST Password Guidelines or visit

About the Author:

Josh Horwitz is an enterprise software executive and entrepreneur with over 25 years of experience. He is currently the Chief Operating Officer at Enzoic. He was the founder of the cloud-based, enterprise customer-marketing platform, Boulder Logic, whose clients included Microsoft, Siemens, Dell, and CSC.

Post a Comment


* Indicates a required field.