I have a customer that has a Watchguard VPN in his office. He has on-prem AD syncing to M365 accounts. We have passwords expire every 30 days.
The problem just about every week users type the wrong passwords and they get locked out of their account and can’t VPN into the network when it happens. *The remote users that aren’t at the office
or the passwords expire and they cant VPN into the network. The owner is tired of the users having to contact us to reset the password and he is tierd of the downtime of the employees.
I’m trying to think what solution we could go with that would prevent the users from accessing the VPN, i would love them to have a Yubikey they just insert to connect to Windows / VPN/ M365 or something like that.
Anyone have good advice on this?
Update 1: I didn’t set up this enviroment, I’m a consultant and in the process of convincing them to go Azure Servers instead, it will happen but in the mean time i wanted to fix all these screw ups they have.
Update 2: i appreciate everyone’s suggestion, thanks for taking your time to provide them.
I think the answer is clear. Turn off password expirys. Its against best practice, and 30 days is insane. You’re just asking users to set bad passwords.
Bump the pw requirements to 12-14, enforce MFA, turn off expiry.
First off, why are you expiring passwords every 30 days? That’s the root of your issue.
Modern best practice is to use long (12+ characters), complex passwords that don’t expire in combination with MFA. Unless you have some compliance requirement to do otherwise, you’re causing your own problems.
Set up MFA for the VPN/AD/AAD if you haven’t already.
Turn on account lockout reset in AD to something like 30 minutes max, then ask the end user to wait for 15 minutes and try again. Or just unlock the account in AD and force a delta sync to Azure AD.
There should be no need to reset passwords ever in these situations.
MFA you VPN using a 365 security group and 365’s MFA.
I can’t agree more with disabling password expirations.
“Password expiration requirements do more harm than good, as they make users select predictable passwords, composed of sequential words and numbers that are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cybercriminals almost always use credentials as soon as they compromise them.”
30 day password expiration policy? What the mother fuck!?
At minimum, 6 months, I mean… Jesus Christ…
Consider also Passwordless MFA using Yubikeys, CBA Auth, WHFB, or even Push MFA. If I was that CEO, I’d be furious as well. Just mentioning a 30 day password expiration policy gave me diarrhea. What a way to make both authentication less secure and annoying AF for users.
With your users regularly forgetting passwords, don’t require them to use hard-to-remember passwords like: Nuey:jwy1:.j or cn><V.d31$K4 ormz2:ppEy+Ckh
Instead, point them to: https://proton.me/pass/password-generator Allow them to set the number of words to three without numerals. They will still get fine passwords such as:
Shy-Sustained-Repair
Giver-User-Traverse
Creation-Helping-Onto
These are still plenty strong with today’s cracking technology.
