Password Management Checklist

Current NIST guidance: minimum 8 characters (15+ for privileged accounts), no forced periodic rotation, no composition rules, screening against known-breached password lists. If your Entra ID or AD policy still mandates 90-day rotation and special characters, update the policy and document the change for SOC 2 / ITGC evidence.

Turn on Entra ID Password Protection (cloud + on-prem agent) or equivalent screening against the HIBP / Pwned Passwords list. Add a custom banned-list entry for company name, product names, and local sports teams — those dominate the helpdesk-reset tail.

Smart lockout: 10 failed attempts, 60-second lockout, increasing on repeat. Tune so password-spray hits the lockout but a user fat-fingering once doesn't get paged. Review the lockout event log for spray patterns from a single source IP.

Conditional Access policy blocking IMAP, POP, SMTP AUTH, and other legacy auth endpoints org-wide. MFA on modern auth doesn't help if basic auth is still reachable — that's the most common bypass we see in IR reports.

Walk the network inventory for printers, switches, IPMI/iLO/iDRAC, and appliances still on vendor defaults. These rarely show in vuln scans but are the soft entry point on flat networks.

Enumerate Domain Admins, Enterprise Admins, Schema Admins, Global Admins, and any group with delegated DCSync rights. Confirm each has a named human owner with a separate non-privileged daily-driver account. Helpdesk technicians should not appear here.

Pull the service-account inventory and flag any password older than 365 days. Migrate to gMSA where the host supports it; for the rest, rotate via the vault and validate every dependent service before closing the change ticket. This is where the "temporary" 6-year-old service account hides.

Phishing-resistant MFA (FIDO2 / WebAuthn / certificate-based) for all Tier 0 and Tier 1 accounts. SMS and voice are not acceptable for admins. Confirm break-glass accounts have hardware tokens stored in the safe with a documented sign-out log.

Use Entra PIM, CyberArk, or BeyondTrust reports to confirm just-in-time elevation is the norm and standing rights are exceptions with documented justification. Note any "Bob in accounting needs Domain Admin to install QuickBooks"-class exceptions for remediation.

For Keeper, 1Password Business, Bitwarden, Hudu Vault, or Passportal: verify zero-knowledge architecture, master-password key derivation (PBKDF2 / Argon2 iterations), and that recovery keys are escrowed in a separate physical safe — not the same vault.

MSP-only: each client's credentials live in a dedicated vault or folder with role-scoped access. One technician compromise should not expose 50 clients. Audit cross-client access grants and revoke any that aren't currently needed for active engagements.

Push Intune / GPO to disable Chrome, Edge, and Firefox password save prompts on corporate devices, redirecting users to the sanctioned vault. Caching credentials in the browser profile is what makes laptop theft a credential incident.

Run an external SSL Labs scan on all login surfaces (SSO, VPN portal, RMM, helpdesk). Flag anything under TLS 1.2, weak ciphers, or expiring certs within 60 days. Internal app certs should be tracked in the same renewal calendar — expired internal certs erode security culture.

Capture the percentage of active users with the vault deployed and at least one credential stored. Coverage under 80% means users are still keeping passwords in spreadsheets or sticky notes — schedule a follow-up campaign with HR and the affected managers.

Send a credential-harvest simulation through KnowBe4 or Hoxhunt focused on M365 / Okta login lookalikes. Repeat-clickers (3+ in 12 months) get manager-notified remediation training rather than another monthly round of generic content.

Confirm SSPR (Entra ID self-service password reset) or Okta equivalent is enabled with at least two verification methods, neither being SMS-only. Update the IT Glue / Hudu runbook with the current verification questions helpdesk uses for assisted resets — voice phishing of the helpdesk is how MGM-class incidents start.

Confirm Entra ID sign-in logs, AD security events (4624/4625/4740/4771), VPN auth, and vault access logs are flowing into Sentinel / Splunk / Sumo. Spot-check yesterday's events end-to-end; broken log pipelines tend to fail silently.

Review the past 90 days of failed-auth alerts. Tune analytics for low-and-slow spray (one attempt per account across many accounts) and impossible-travel sign-ins. Document tuning decisions for SOC 2 evidence.

Walk the team through a scenario: a Tier 1 admin's session token is stolen via Evilginx. Test session revocation, token invalidation in Entra ID, conditional access enforcement, and customer-comms timing. Ninety minutes; one named scribe captures gaps.

Bundle policy doc, screening config screenshots, Tier 0 inventory, vault coverage metric, tabletop notes, and SIEM tuning records into the quarterly evidence folder. This is the packet auditors ask for during SOC 2 Type II and ISO 27001 fieldwork.