密碼原則建議Password policy recommendations

身為組織的系統管理員,您必須為貴組織中的使用者設定密碼原則。As the admin of an organization, you're responsible for setting password policy for users in your organization. 設定密碼原則相當複雜且令人困惑,因此本文提供加強貴組織對密碼攻擊的防護的建議。Setting password policy can be complicated and confusing, and this article provides recommendations to make your organization more secure against password attacks.

若要判斷貴組織中的 Microsoft 365 密碼到期頻率,請參閱設定 Microsoft 365 的密碼到期原則To determine how often Microsoft 365 passwords expire in your organization, see Set password expiration policy for Microsoft 365.

如需有關 Microsoft 365 密碼的詳細資訊,請參閱這些相關文章For more information about Microsoft 365 passwords, see these related articles.

了解密碼建議Understanding password recommendations

良好的密碼實踐分為幾大類:Good password practices fall into a few broad categories:

  • 抵禦常見攻擊:這涉及選擇讓使用者在何處輸入密碼 (具有良好惡意程式碼偵測的已知和信任的裝置、經過驗證的網站),以及選擇要選用哪個密碼 (長度和唯一性)。Resisting common attacks This involves the choice of where users enter passwords (known and trusted devices with good malware detection, validated sites), and the choice of what password to choose (length and uniqueness).

  • 包含成功的攻擊:包含成功駭客攻擊是指限制僅向特定服務公開,或在使用者密碼遭竊的情況下完全防止該損失。Containing successful attacks Containing successful hacker attacks is about limiting exposure to a specific service, or preventing that damage altogether, if a user's password gets stolen. 例如,確保社交網路認證外洩不會導致銀行帳戶易受攻擊,也不會讓防護較弱的帳戶接受重要帳戶的重設連結。For example, ensuring that a breach of your social networking credentials doesn't make your bank account vulnerable, or not letting a poorly guarded account accept reset links for an important account.

  • 了解人的天性:許多有效的密碼實踐都在面對自然的人類行為時失敗。Understanding human nature Many valid password practices fail in the face of natural human behaviors. 了解人的天性至關重要,因為研究結果顯示,幾乎每條強加於使用者的規則都會導致密碼品質降低。Understanding human nature is critical because research shows that almost every rule you impose on your users will result in a weakening of password quality. 長度要求、特殊字元要求和密碼變更要求都會導致密碼標準化,讓攻擊者更容易猜測或破解密碼。Length requirements, special character requirements, and password change requirements all result in normalization of passwords, which makes it easier for attackers to guess or crack passwords.

系統管理員的密碼指導方針Password guidelines for administrators

加強密碼系統安全的主要目標是密碼多樣性。The primary goal of a more secure password system is password diversity. 您希望密碼原則包含許多不同且難以猜測的密碼。You want your password policy to contain lots of different and hard to guess passwords. 以下是一些讓貴組織盡可能安全的建議。Here are a few recommendations for keeping your organization as secure as possible.

  • 維持至少 8 個字元的長度要求 (更長不一定更好)Maintain an 8-character minimum length requirement (longer isn't necessarily better)

  • 不設定字元構成要求。Don't require character composition requirements. 例如,*&(^%$For example, *&(^%$

  • 不要求使用者帳戶定期重設密碼Don't require mandatory periodic password resets for user accounts

  • 禁止常見密碼,使系統中不存在容易受到攻擊的密碼Ban common passwords, to keep the most vulnerable passwords out of your system

  • 教育使用者不要將其組織密碼重複用於與工作無關的用途Educate your users to not re-use their organization passwords for non-work related purposes

  • 強制註冊多重要素驗證Enforce registration for multi-factor authentication

  • 克服以風險為根據的多重要素驗證挑戰Enable risk-based multi-factor authentication challenges

使用者密碼指導方針Password guidance for your users

以下是提供貴組織使用者的一些密碼指導方針。Here's some password guidance for users in your organization. 請務必讓您的使用者了解這些建議,並在組織層級強制執行建議的密碼原則。Make sure to let your users know about these recommendations and enforce the recommended password policies at the organizational level.

  • 請勿使用在任何其他網站上所使用的相同或相似密碼Don't use a password that is the same or similar to one you use on any other websites

  • 請勿只用一個單字,例如 password,也不要使用常用片語,例如 IloveyouDon't use a single word, for example, password, or a commonly-used phrase like Iloveyou

  • 使密碼變得難以猜測,讓即使熟悉您的人也難以猜測,例如,不要使用朋友和家人的姓名和生日、喜歡的樂團,以及您喜歡使用的語句Make passwords hard to guess, even by those who know a lot about you, such as the names and birthdays of your friends and family, your favorite bands, and phrases you like to use

一些常見做法及其負面影響Some common approaches and their negative impacts

以下是一些最常使用的密碼管理做法,但是研究結果警告我們注意這些做法的負面影響。These are some of the most commonly used password management practices, but research warns us about the negative impacts of them.

使用者密碼到期要求Password expiration requirements for users

密碼到期要求弊大於利,因為這些要求會讓使用者選擇可預測的密碼,即由彼此密切相關的連續字詞和數字組成的密碼。Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers which are closely related to each other. 在這些情況下,下一個密碼可根據先前的密碼來預測。In these cases, the next password can be predicted based on the previous password. 密碼到期要求不會提供任何控制優勢,因為網路罪犯總會在盜取憑證後立即使用憑證。Password expiration requirements offer no containment benefits because cyber criminals almost always use credentials as soon as they compromise them. 請查閱 是時候重新思考強制密碼變更了 以獲得其它資訊。Check out Time to rethink mandatory password changes for more info.

要求使用長密碼Requiring long passwords

密碼長度要求 (大於約 10 個字元) 可能會導致可預測且不必要的使用者行為。Password length requirements (greater than about 10 characters) can result in user behavior that is predictable and undesirable. 例如,必須具有 16 個字元密碼的使用者可能會選擇 fourfourfourfourpasswordpassword 等符合字元長度要求但不難猜測的重複模式。For example, users who are required to have a 16-character password may choose repeating patterns like fourfourfourfour or passwordpassword that meet the character length requirement but aren't hard to guess. 此外,長度要求會提高使用者採用其他不安全做法的機會,例如將密碼寫下來、重複使用密碼,或將密碼不加密地儲存在文件中。Additionally, length requirements increase the chances that users will adopt other insecure practices, such as writing their passwords down, re-using them, or storing them unencrypted in their documents. 若要鼓勵使用者考慮使用唯一密碼,建議您維持符合 8 個字元的最小長度要求。To encourage users to think about a unique password, we recommend keeping a reasonable 8-character minimum length requirement.

要求使用多個字元集Requiring the use of multiple character sets

密碼複雜性要求會縮減金鑰空間,並讓使用者以可預測的方式行動,因此弊大於利。Password complexity requirements reduce key space and cause users to act in predictable ways, doing more harm than good. 大多數系統都會強制實施一定程度的密碼複雜性要求。Most systems enforce some level of password complexity requirements. 例如,密碼需要使用下列所有三種類別的字元:For example, passwords need characters from all three of the following categories:

  • 大寫字元 uppercase characters

  • 小寫字元lowercase characters

  • 非英數字元non-alphanumeric characters

大多數使用者都會使用類似的模式,例如,第一個位置使用大寫字母、最後一位使用符號,倒數第 2 位使用數字。Most people use similar patterns, for example, a capital letter in the first position, a symbol in the last, and a number in the last 2. 網路罪犯知道這一點,因此他們在執行字典攻擊時會使用最常見的替換,例如:$ 替換為 s、@ 替換為 a,1 替換為 l。Cyber criminals know this, so they run their dictionary attacks using the most common substitutions, "$" for "s", "@" for "a," "1" for "l". 強制使用者選擇大寫、小寫、數字、特殊字元的組合會造成負面影響。Forcing your users to choose a combination of upper, lower, digits, special characters has a negative effect. 有些複雜性要求甚至會妨礙使用者使用安全易記的密碼,並迫使他們採用安全性較低且更難記住的密碼。Some complexity requirements even prevent users from using secure and memorable passwords, and force them into coming up with less secure and less memorable passwords.

成功的模式Successful Patterns

相比之下,以下是鼓勵密碼多樣性的一些建議。In contrast, here are some recommendations in encouraging password diversity.

禁用常見密碼Ban common passwords

建立密碼時,您應對使用者提出的最重要的密碼要求是禁用常見密碼,使貴組織更不容易受到暴力密碼破解攻擊。The most important password requirement you should put on your users when creating passwords is to ban the use of common passwords to reduce your organization's susceptibility to brute force password attacks. 常見的使用者密碼包括 abcdefgpasswordmonkeyCommon user passwords include, abcdefg, password, monkey.

教育使用者不要在其他位置重複使用組織密碼Educate users to not re-use organization passwords anywhere else

要傳達給組織內部使用者的最重要訊息之一是不要在任何其他位置重複使用其組織密碼。One of the most important messages to get across to users in your organization is to not re-use their organization password anywhere else. 在外部網站使用組織密碼會大幅增加網路罪犯盜用這些密碼的可能性。The use of organization passwords in external websites greatly increases the likelihood that cyber criminals will compromise these passwords.

強制執行多重要素驗證註冊Enforce Multi-Factor Authentication registration

請確保您的使用者更新連絡人和安全性資訊,例如備用電子郵件地址、電話號碼或註冊接收推播通知的裝置,以便讓使用者應對安全性挑戰及收到安全性事件通知。Make sure your users update contact and security information, like an alternate email address, phone number, or a device registered for push notifications, so they can respond to security challenges and be notified of security events. 更新的連絡人和安全性資訊可協助使用者在忘記密碼時或其他人嘗試接管其帳戶時驗證他們的身分。Updated contact and security information helps users verify their identity if they ever forget their password, or if someone else tries to take over their account. 並在登入嘗試或變更密碼等安全性事件的情況下提供頻外通知頻道。It also provides an out of band notification channel in the case of security events such as login attempts or changed passwords.

若要深入瞭解,請參閱設定多重要素驗證To learn more, see Set up multi-factor authentication.

啟用以風險為根據的多重要素驗證Enable risk-based multi-factor authentication

以風險為根據的多重要素驗證可確保系統偵測到可疑活動時,能迫使使用者確保其為合法帳戶擁有者。Risk-based multi-factor authentication ensures that when our system detects suspicious activity, it can challenge the user to ensure that they are the legitimate account owner.

重設密碼Reset passwords

設定個別使用者的密碼永不過期Set an individual user's password to never expire

讓使用者重設自己的密碼Let users reset their own passwords

重新傳送使用者的密碼 - 系統管理說明Resend a user's password - Admin Help