Benchmarks for SaaS Apps: Password Management

Adaptive Shield Team

What are Password Policies and Configurations?

In a world where identity is the new perimeter, user passwords are essential to protect your SaaS applications from unauthorized access. Effective password policies that are enforced at the corporate level reduce the gateway into your corporate data.

SaaS applications include a number of security settings that promote safe password use. When these settings are misconfigured, however, users can use passwords that are easily guessed by threat actors or can be discovered by hackers during a brute-force attack.

Compromised passwords do more than provide threat actors with access to information that should be protected. They open the possibility of an account takeover attack. Savvy threat actors may take their infiltration to the next level, particularly when accessing high-privilege accounts. Once in, they create new high-privilege users accounts that can be weaponized to download confidential data, conduct ransomware attacks, or maintain long-term espionage programs.

Password configurations make up about 6% of all SaaS app settings. Despite their small number, they play a large role in limiting access to sensitive information.

The configurations within the SaaS application are in place to better secure account access, which is why we’re sharing some key password configuration benchmarks for Salesforce, M365, and Google Workspace.

Key Password Configurations

Password configurations cover the makeup of acceptable passwords as well as passwords for different categories of users. These configurations include:

  1. Admin password policy
  2. Password reuse
  3. Password expiration
  4. Password length
  5. Password complexity
  6. Password hints
  7. Password resets

Password Change Frequency in Salesforce

There was a time when security experts universally recommended users update their passwords every 60-90 days to prevent accounts from being accessed by cybercriminals. As a result, most users got in the habit of using easily memorable passwords that didn’t change much.

In 2017, Digital Identity Guidelines from the National Institute of Science and Technology (NIST) recognized that this approach led to an overall weakening of user passwords. Instead, they recommended strong passwords that only need to be changed in the event of a user request or evidence of an authenticator or credentials being compromised.

‍Salesforce’s settings take the NIST recommendation into account with two settings. Passwords Expiration and Profile Passwords Expiration should both be set so that they never automatically expire.

To do so, first set the general policy following these steps:

  1. Got to Setup → Setting → Security  → Password Policies
  2. Set the User password Expires to 0 days

This password setting is governed by default in the general Password Policies of the account but can be overridden by selecting a different setting in a specific profile.

Take the following steps for specific profiles, which can be used to override the general policies for a specific user account.

  1. Go to Setup→Settings→Users→Profiles
  2. Select the affected profile, click Edit
  3. Go to Password Policies→User passwords expire in, and select 0 days

Password Management Benchmarks for Salesforce

Here are some Salesforce user benchmarks to measure your settings against.

Blocking Guessable Passwords in Microsoft 365

Microsoft 365 uses several settings to prevent users from using easily guessable words as their passwords, which helps defend against password spray attacks.

The Custom Banned Password and the Enforce Custom Banned Password security settings allow administrators to add a list of up to 1,000 words that cannot be included in a password. The Password Protection for Windows Server Mode and Password Protection for Windows Server Active Directory configurations are relevant for organizations using hybrid environments. These two settings configure Azure Active Directory to work with on-prem data centers, and prevent the use of corporate specified words.

The list of banned words should include corporate keywords, such as company products, trademarks, or executive names. It should also include things like local sports teams names, popular players, or famous actors.

Password Management Benchmarks for Microsoft 365

Here are some M365 benchmarks to measure your settings against.

App Passwords in Google Workspace

App passwords can be used in some circumstances to bypass MFA security checks and company-monitored SSO. These apps can be easily compromised when threat actors get a user’s login credentials.

Super Admins with App Passwords is particularly dangerous. These high-privilege users require app passwords so they can access apps when SSO is down. However, this access is risky because it bypasses multi-factor authentication. Configurations should be set to periodically confirm with Super Admins that they require their high-privilege level of access.

Regular users that are accessing apps with a password should also be approached, through the system, to confirm that they require access to specific apps. Those who are no longer in need of the applications should remove apps that they no longer need.   ‍

Password Management Benchmarks for Google Workspace

Here are some Google Workspace benchmarks to measure your settings against.

How to Maximize Password Security

Passwords are most effective when coupled with MFA or as part of an SSO.

Strong passwords policy includes:

Up next in our Benchmark for SaaS Apps Series is Endpoint Protection.

About the writer

Adaptive Shield Team

Businesses today run nearly every facet of their operations using a wide array of interconnected SaaS apps. Adaptive Shield’s team is here to keep you informed as well as help you secure your SaaS estate.