Are Compromised Passwords Putting Your Company At Risk?

Uploaded on 2022-11-02 in TECHNOLOGY--Resilience, FREE TO VIEW

Brought to you by SpecOps

Passwords have been around for a long time. Today, they are used as the primary authentication method to log in to a computer, network, or website. The computer password is a little over 60 years old. If you think about how much the IT threat landscape has changed in those 60 years, you may (or may not) be surprised at how little password security behaviour has changed.  

Human behaviour is predictable, and that behaviour is evident in the passwords we create. We use familiar terms, and if we’re forced to add complexity, we use l33t speak, or add an exclamation at the end. When asked to change the password, we increment it by one each time. We then use that same password across multiple systems.      

Why is this an issue?   These same passwords are being used by employees to access company data. Anytime there is a data breach, compromised passwords are sold on the dark web, and then used against company networks in password spray attacks. Access can be gained within seconds; starting with a lesser privileged account, and elevated once inside the network. It should be no surprise that lost or stolen credentials equate to over 80% of hacking-related breaches in recent years (Verizon). 

For almost 20 years Microsoft Active Directory (AD) has been the primary means for authentication in a Windows domain network. Sadly, the function of its password policy does little to fix the issue at hand. Third-party alternatives need to be part of the solution. If you haven’t gone down that route, compromised passwords are almost certainly in use in your network. It’s not uncommon to find between 30-80% of users are using them!    

Where do we go from here?   To reduce the risk of successful brute-force password attacks, you’ll need to identify any compromised passwords currently in use, fix them, and prevent the issue from reoccurring.  

The good news.    It’s very easy to identify compromised passwords in AD if you have the right tools. One option is the widely publicised HaveIBeenPwned from Troy Hunt. Coupled with some PowerShell scripting, you can search for over 613 million compromised passwords. The list was last updated in December 2021. 

Free Tool To Find Compromised Passwords  

Better yet a freeware tool.   Specops Password Auditor removes the need for scripts and scans against a constantly updated list of almost 1 billion breached passwords. The findings are presented in an interactive dashboard. You’ll need to alert any users of compromised passwords to change them yourself, but the hard work of identifying them is replaced with a scan that can be set up and completed in a matter of minutes. 

Preventing Weak Or Compromised Password Use Going Forward 

How can we prevent this from happening again in the future? An essential step is raising awareness internally. Educate your users on the risk of compromised passwords. Mention why they should not be reusing the same passwords across systems and websites. Provide examples of what a strong password should look like. Spoiler alert. Longer is stronger and consider a passphrase using three random words making it easier to remember.  

Awareness is only a piece of the puzzle as bad habits may remerge. To create a password policy, fit for today’s threat landscape, you need to be looking at third-party alternatives.

Specops Password Policy works natively within AD. The solution enforces strong passwords with passphrase support and breached password protection. Since compromised passwords are a moving target, Specops uses data used in live attacks throughout the globe to block users from selecting  the same vulnerable passwords in the future.   

Alongside a secure password policy and the ability to detect compromised password use, it is recommended to use two-factor authentication (2FA) as an additional fail-safe. These typically are in the form of one-time-passcodes sent to an authenticator app on your phone with the more advanced factors utilising biometrics.  

If you feel there is a potential issue of compromised passwords in your business, don’t delay and run a compromised password scan first to identify the scale of the problem.

If you would like a password security expert to walk you through the process of running a vulnerability scan and/or provide a personalised demo of a secure password policy solution for your business, please get in touch.

You Might Also Read: 

123456 Is Not A Password:

 

« The Challenges Of Moving To Zero Trust
How Long Does It Take Before An Attack Is Detected? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Engineering Group

Engineering Group

Engineering is the Digital Transformation Company, a leader in Italy and with over 80 offices across Europe, the United States, and South America.

Inogesis

Inogesis

Inogesis helps blue-chip organisations harness disruptive technologies and thinking to drive new revenues or overcome challenges by connecting them with dynamic small companies.

CRYPTTECH

CRYPTTECH

CRYPTTECH specializes in Information Security and Intelligence, Risk Evaluation and Vulnerability Recognition against Cyber-Attacks and APTs.

NetSecurity

NetSecurity

NetSecurity is a Brazilian company specializing in Information Security. We provide Managed Security Services (MSS), network security solutions and other specialist services.

Hub One

Hub One

Hub One is a leading player in digital transformation with expertise in broadband connectivity, business solutions for traceability and mobility, IOT in industrial environments and cybersecurity.

Blackwall

Blackwall

Blackwall (formerly BotGuard) is a security infrastructure company focused on protecting web ecosystems from automated threats, while optimizing performance for hosting environments.

TM One

TM One

TM One is the enterprise and public sector business solutions arm of Telekom Malaysia Berhad (TM) Group.

Paradyn

Paradyn

Paradyn-managed security services can provide a holistic view of your business environment, no matter how simple or complex it is.

BreachQuest

BreachQuest

BreachQuest brings together cybersecurity experts with decades of experience identifying security flaws, penetrating networks, and responding to incidents.

Saporo

Saporo

Saporo helps organizations increase their cyber-resistance. Continuously map your attack surface and get the recommendations you need to make your organization more resistant to attacks.

Kingston Technology

Kingston Technology

Kingston is a leading global manufacturer of memory and storage solutions including encrypted storage solutions to protect data inside and outside the firewall.

BlueCat Networks

BlueCat Networks

BlueCat is the Adaptive DNS company. Our mission is to help the world’s largest organizations thrive on network complexity, from the edge to the core.

Cisilion

Cisilion

Cisilion's mission is simple – to transform and connect business with next-generation IT infrastructure. Our expertise includes enterprise networking, security, data centre & cloud, managed services.

Vertek

Vertek

Vertek is a leading provider of operations consulting, end-to-end business process outsourcing, business intelligence, software applications and managed cybersecurity solutions.

Eficens Systems

Eficens Systems

Eficens Systems is a global IT services and consulting company. We specialize in empowering businesses to harness the potential of Information Technology as a strategic asset.

Scality

Scality

Scality storage unifies data management from edge to core to cloud. Our market-leading file and object storage software protects data on-premises and in hybrid and multi-cloud environments.