• United States



Contributing Writer

How to protect against poor Windows password practices

Mar 06, 20194 mins

Employees will reuse passwords for work systems for their personal online accounts. Here's how to set up multifactor authentication in a Windows environment to reduce the risk of password compromise.

login password - user permissions - administrative control
Credit: Thinkstock

Hardly a day that goes by before some website reports a credential-stuffing attack where harvested usernames and passwords are used to gain access to sensitive information. Lately it was tax software site TurboTax where attackers accessed users’ tax information.

This underscores the risk of password reuse. Organizations need a strong password policy to encourage good password practices among employees. Therein lies the rub: Set up a too complex password policy and you increase the user frustration. Also, if a user reuses a complex password they set up inside your firm for a personal website or account and that database is breached, that password that you’ve made sure was strong is now more likely to be harvested and used in a credential-stuffing attack.

How to see if employees are reusing passwords

bradley password 1 Have I Been Pwned?

Oh yes, I have!

Sites such as Have I Been Pwned (HIBP) allow you to check to see if any of your personal usernames and password combinations have been breached in a database. You can even set up a monitoring service to see if any of your firm’s accounts have breached. The site also provides an API and other services that you can use in a web service to check the security of passwords that any of your customers use to sign up.

If you’ve ever signed up for GitHub, you’ve seen this password checking feature in action. As noted in the GitHub blog, checking for reused passwords is a good reminder that once one database is breached, attackers can reuse these credentials elsewhere. Vendors have used the same platform to provide checking features in various web applications and mobile apps.

How to set up two-factor authentication (2FA) in Windows

Setting up 2FA in your organization can also reduce risk from password exposure. There are many ways to do this process in Windows.

One way to add 2FA to on-premises deployments is through Remote Desktop Services (RDS) and Azure Active Directory. The two-factor method has to be application based or use a voice callback to better protect the RDS implementation. You’ll need the following in place before starting the implementation:

  • RDS infrastructure
  • Azure MFA license
  • Windows Server
  • Network Policy and Access Services (NPS) role
  • Azure Active Directory synched with on-premises Active Directory
  • Azure Active Directory GUID ID

You can also add third-party solutions to Active Directory that provide multi-factor authentication (MFA). ESET, for example, provides a solution that allows integration with Active Directory implementations.

Those with Microsoft Office 365 can use the Microsoft authenticator app (available for both iPhone and Android) that requires additional authentication when signed in from a new location. To set up the requirement in Office 365, log into the admin account and enable 2FA for your users. Go to “Users”, then “Active users” and click on the three dots “…”. Then select “Setup multifactor authentication”.

bradley password 2 Microsoft

Setting up MFA

Once you’ve enabled MFA on your office 365 setup, you can send your users to Microsoft’s MFASetup page to complete the process. Now your Office 365 users will be better protected from phishing attacks.

Once you have enabled 2FA on a Microsoft account, you may find that you need an “application” password to authenticate with older software such as Outlook or Hotmail. You might also need to visit the security basics page to enable and set up an application password. This enables older applications to authenticate properly.

Often there is just one password between you and the attacker. Review your options to put more protection between your assets and the attackers. If just one privileged account is accessed, attackers can move laterally inside Active Directory.

I often see targeted emails trying to get credentials for online and hosted platforms. Review your current password policies to ensure they provide users with recommendations about setting passwords for external sites. Consider setting up MFA for your own domain and internal resources, and especially on highly sensitive accounts or accounts that might be targeted for phishing. If you can’t enable MFA for all accounts, review those accounts most at risk and put extra protection on them. Urge users in your best practice literature to use MFA when it’s offered and when practical.

Contributing Writer

Susan Bradley has been patching since before the Code Red/Nimda days and remembers exactly where she was when SQL slammer hit (trying to buy something on eBay and wondering why the Internet was so slow). She writes the Patch Watch column for, is a moderator on the listserve, and writes a column of Windows security tips for In real life, she’s the IT wrangler at her firm, Tamiyasu, Smith, Horn and Braun, where she manages a fleet of Windows servers, Microsoft 365 deployments, Azure instances, desktops, a few Macs, several iPads, a few Surface devices, several iPhones and tries to keep patches up to date on all of them. In addition, she provides forensic computer investigations for the litigation consulting arm of the firm. She blogs at and is on twitter at @sbsdiva. She lurks on Twitter and Facebook, so if you are on Facebook with her, she really did read what you posted. She has a SANS/GSEC certification in security and prefers Heavy Duty Reynolds wrap for her tinfoil hat.

More from this author