Are Compromised Passwords Putting Your Company At Risk?

Brought to you by SpecOps

Passwords have been around for a long time. Today, they are used as the primary authentication method to log in to a computer, network, or website. The computer password is a little over 60 years old. If you think about how much the IT threat landscape has changed in those 60 years, you may (or may not) be surprised at how little password security behaviour has changed.  

Human behaviour is predictable, and that behaviour is evident in the passwords we create. We use familiar terms, and if we’re forced to add complexity, we use l33t speak, or add an exclamation at the end. When asked to change the password, we increment it by one each time. We then use that same password across multiple systems.      

Why is this an issue?   These same passwords are being used by employees to access company data. Anytime there is a data breach, compromised passwords are sold on the dark web, and then used against company networks in password spray attacks. Access can be gained within seconds; starting with a lesser privileged account, and elevated once inside the network. It should be no surprise that lost or stolen credentials equate to over 80% of hacking-related breaches in recent years (Verizon). 

For almost 20 years Microsoft Active Directory (AD) has been the primary means for authentication in a Windows domain network. Sadly, the function of its password policy does little to fix the issue at hand. Third-party alternatives need to be part of the solution. If you haven’t gone down that route, compromised passwords are almost certainly in use in your network. It’s not uncommon to find between 30-80% of users are using them!    

Where do we go from here?   To reduce the risk of successful brute-force password attacks, you’ll need to identify any compromised passwords currently in use, fix them, and prevent the issue from reoccurring.  

The good news.    It’s very easy to identify compromised passwords in AD if you have the right tools. One option is the widely publicised HaveIBeenPwned from Troy Hunt. Coupled with some PowerShell scripting, you can search for over 613 million compromised passwords. The list was last updated in December 2021. 

Free Tool To Find Compromised Passwords  

Better yet a freeware tool.   Specops Password Auditor removes the need for scripts and scans against a constantly updated list of almost 1 billion breached passwords. The findings are presented in an interactive dashboard. You’ll need to alert any users of compromised passwords to change them yourself, but the hard work of identifying them is replaced with a scan that can be set up and completed in a matter of minutes. 

Preventing Weak Or Compromised Password Use Going Forward 

How can we prevent this from happening again in the future? An essential step is raising awareness internally. Educate your users on the risk of compromised passwords. Mention why they should not be reusing the same passwords across systems and websites. Provide examples of what a strong password should look like. Spoiler alert. Longer is stronger and consider a passphrase using three random words making it easier to remember.  

Awareness is only a piece of the puzzle as bad habits may remerge. To create a password policy, fit for today’s threat landscape, you need to be looking at third-party alternatives.

Specops Password Policy works natively within AD. The solution enforces strong passwords with passphrase support and breached password protection. Since compromised passwords are a moving target, Specops uses data used in live attacks throughout the globe to block users from selecting  the same vulnerable passwords in the future.   

Alongside a secure password policy and the ability to detect compromised password use, it is recommended to use two-factor authentication (2FA) as an additional fail-safe. These typically are in the form of one-time-passcodes sent to an authenticator app on your phone with the more advanced factors utilising biometrics.  

If you feel there is a potential issue of compromised passwords in your business, don’t delay and run a compromised password scan first to identify the scale of the problem.

If you would like a password security expert to walk you through the process of running a vulnerability scan and/or provide a personalised demo of a secure password policy solution for your business, please get in touch.

You Might Also Read: 

123456 Is Not A Password:

 

« The Challenges Of Moving To Zero Trust
How Long Does It Take Before An Attack Is Detected? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Swedish Civil Contingencies Agency (MSB)

Swedish Civil Contingencies Agency (MSB)

MSB's Information Assurance Department is responsible for supporting and coordinating work relating to Sweden's national societal information security.

Norwegian Information Security laboratory (NISlab)

Norwegian Information Security laboratory (NISlab)

NISlab conducts international competitive research in information and cyber security and operates study programs in this area.

Cienaga Systems

Cienaga Systems

Cienaga Systems is a leader in autonomous cyber threat hunting technology.

NEC

NEC

NEC offers a complete array of solutions to governments and enterprises to protect themselves from the threats of digital disruption.

PECB

PECB

PECB is a certification body for persons, management systems, and products on a wide range of international standards in a range of areas including Information Security and Risk Management.

Air Informatics

Air Informatics

Air Informatics LLC provides security, information management, analytics and informatics for IT and wirelessly enabled airplanes and operations.

European Society of Criminology (ESC)

European Society of Criminology (ESC)

The ESC Working Group on Cybercrime is focused on cybercrime, its causes and offenders, impact on victims, and our response to it at the individual, corporate, and governmental levels.

Plexal

Plexal

Plexal is East London's innovation centre and co-working space. We offer startups flexible memberships, giving them access to office space plus all the benefits and support they need to scale.

Netenrich

Netenrich

The Netenrich operations intelligence platform is built from the ground up to help enterprises resolve everyday and futuristic problems for stable, secure environments and infrastructures.

ARIA Cybersecurity Solutions

ARIA Cybersecurity Solutions

The ARIA ADR Automatic Detection & Response solution was designed to find, verify, and stop all types of attacks - automatically and in real time.

Trusted Technologies and Solutions (TTS)

Trusted Technologies and Solutions (TTS)

TTS is a security consulting company specialised on business continuity and crisis management, information security management, information risk management and identity and access management.

TheGreenBow

TheGreenBow

TheGreenBow is a trusted VPN software company. We help organizations and individuals become cyber-responsible. For this, we design and develop reliable and easy-to-use solutions.

GoPro Consultants

GoPro Consultants

GoPro Consultants is an IT Consultancy and IT Managed services provider Globally with immeasurable expertise of IT professionals in Hardware/Support & Consultancy and Project Planning.

Spera Security

Spera Security

Spera helps identity security professionals effectively and confidently measure, prioritize and reduce identity risk to better protect the organization from identity-based attacks.

Dapple Security

Dapple Security

Dapple Security is creating cutting edge technology utilizing responsible biometrics that protects people and privacy through a first-of-its-kind passwordless platform.

Rebellion Defense

Rebellion Defense

Rebellion Defense is a technology company developing advanced software to ensure mission-critical organizations stay ahead of emerging threats.