Are Compromised Passwords Putting Your Company At Risk?

Uploaded on 2022-11-02 in TECHNOLOGY--Resilience, FREE TO VIEW

Brought to you by SpecOps

Passwords have been around for a long time. Today, they are used as the primary authentication method to log in to a computer, network, or website. The computer password is a little over 60 years old. If you think about how much the IT threat landscape has changed in those 60 years, you may (or may not) be surprised at how little password security behaviour has changed.  

Human behaviour is predictable, and that behaviour is evident in the passwords we create. We use familiar terms, and if we’re forced to add complexity, we use l33t speak, or add an exclamation at the end. When asked to change the password, we increment it by one each time. We then use that same password across multiple systems.      

Why is this an issue?   These same passwords are being used by employees to access company data. Anytime there is a data breach, compromised passwords are sold on the dark web, and then used against company networks in password spray attacks. Access can be gained within seconds; starting with a lesser privileged account, and elevated once inside the network. It should be no surprise that lost or stolen credentials equate to over 80% of hacking-related breaches in recent years (Verizon). 

For almost 20 years Microsoft Active Directory (AD) has been the primary means for authentication in a Windows domain network. Sadly, the function of its password policy does little to fix the issue at hand. Third-party alternatives need to be part of the solution. If you haven’t gone down that route, compromised passwords are almost certainly in use in your network. It’s not uncommon to find between 30-80% of users are using them!    

Where do we go from here?   To reduce the risk of successful brute-force password attacks, you’ll need to identify any compromised passwords currently in use, fix them, and prevent the issue from reoccurring.  

The good news.    It’s very easy to identify compromised passwords in AD if you have the right tools. One option is the widely publicised HaveIBeenPwned from Troy Hunt. Coupled with some PowerShell scripting, you can search for over 613 million compromised passwords. The list was last updated in December 2021. 

Free Tool To Find Compromised Passwords  

Better yet a freeware tool.   Specops Password Auditor removes the need for scripts and scans against a constantly updated list of almost 1 billion breached passwords. The findings are presented in an interactive dashboard. You’ll need to alert any users of compromised passwords to change them yourself, but the hard work of identifying them is replaced with a scan that can be set up and completed in a matter of minutes. 

Preventing Weak Or Compromised Password Use Going Forward 

How can we prevent this from happening again in the future? An essential step is raising awareness internally. Educate your users on the risk of compromised passwords. Mention why they should not be reusing the same passwords across systems and websites. Provide examples of what a strong password should look like. Spoiler alert. Longer is stronger and consider a passphrase using three random words making it easier to remember.  

Awareness is only a piece of the puzzle as bad habits may remerge. To create a password policy, fit for today’s threat landscape, you need to be looking at third-party alternatives.

Specops Password Policy works natively within AD. The solution enforces strong passwords with passphrase support and breached password protection. Since compromised passwords are a moving target, Specops uses data used in live attacks throughout the globe to block users from selecting  the same vulnerable passwords in the future.   

Alongside a secure password policy and the ability to detect compromised password use, it is recommended to use two-factor authentication (2FA) as an additional fail-safe. These typically are in the form of one-time-passcodes sent to an authenticator app on your phone with the more advanced factors utilising biometrics.  

If you feel there is a potential issue of compromised passwords in your business, don’t delay and run a compromised password scan first to identify the scale of the problem.

If you would like a password security expert to walk you through the process of running a vulnerability scan and/or provide a personalised demo of a secure password policy solution for your business, please get in touch.

You Might Also Read: 

123456 Is Not A Password:

 

« The Challenges Of Moving To Zero Trust
How Long Does It Take Before An Attack Is Detected? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Malwarebytes

Malwarebytes

Malwarebytes provides artificial intelligence-powered technology that stops cyberattacks before they can compromise computers and endpoints.

European Internet Forum (EIF)

European Internet Forum (EIF)

EIF’s mission is to help provide European political leadership for the political, economic and social challenges of the worldwide digital transformation.

CERT-MU

CERT-MU

CERT-MU is the Mauritian National Computer Security Incident Response Team.

Capsule8

Capsule8

Capsule8 is the only company providing high-performance attack protection for Linux production environments.

TROOPERS

TROOPERS

TROOPERS InfoSec event consists of two days of high-end training, followed by a two-day, three-track conference, culminating in Roundtables on the final day.

Resistant AI

Resistant AI

Resistant AI protects against evolving online fraud. We connect the dots to provide a new layer of trust and performance for our clients’ systems.

KryptoKloud

KryptoKloud

KryptoKloud offer a suite of Managed Services including Security Monitoring and Incident Response as well as a full portfolio of Compliance, Governance and Audit solutions.

CyberScotland

CyberScotland

The CyberScotland Partnership is a collaboration of key strategic stakeholders, brought together to focus efforts on improving cyber resilience across Scotland in a coordinated and coherent way.

Panther Labs

Panther Labs

Panther’s mission is to make security monitoring fast, flexible and scalable for all security teams.

Cyware

Cyware

Cyware is the only company building Virtual Cyber Fusion Centers enabling end-to-end threat intelligence automation, sharing, and unprecedented threat response for organizations globally.

Anametric

Anametric

Anametric is developing new technologies and devices for chip scale quantum photonics, with a focus on cybersecurity.

Heron Technology

Heron Technology

Heron Technology are a technology solutions consultancy with core competencies in the areas of Cyber Security and Digital Aviation.

Auriga

Auriga

Auriga create innovative software and have become a benchmark for high quality banking software including cyber security solutions to protect business critical devices.

Arelion

Arelion

Arelion is a leading light in global connectivity and we've been keeping the world connected for nearly three decades.

GO Business

GO Business

GO Business are a specialised B2B team within GO that caters to the communication needs of the local business community in Malta.

NetDescribe

NetDescribe

NetDescribe, part of Xantaro Group, advises and supports companies in building secure and stable IT environments.