Are Compromised Passwords Putting Your Company At Risk?
Brought to you by SpecOps
Passwords have been around for a long time. Today, they are used as the primary authentication method to log in to a computer, network, or website. The computer password is a little over 60 years old. If you think about how much the IT threat landscape has changed in those 60 years, you may (or may not) be surprised at how little password security behaviour has changed.
Human behaviour is predictable, and that behaviour is evident in the passwords we create. We use familiar terms, and if we’re forced to add complexity, we use l33t speak, or add an exclamation at the end. When asked to change the password, we increment it by one each time. We then use that same password across multiple systems.
Why is this an issue? These same passwords are being used by employees to access company data. Anytime there is a data breach, compromised passwords are sold on the dark web, and then used against company networks in password spray attacks. Access can be gained within seconds; starting with a lesser privileged account, and elevated once inside the network. It should be no surprise that lost or stolen credentials equate to over 80% of hacking-related breaches in recent years (Verizon).
For almost 20 years Microsoft Active Directory (AD) has been the primary means for authentication in a Windows domain network. Sadly, the function of its password policy does little to fix the issue at hand. Third-party alternatives need to be part of the solution. If you haven’t gone down that route, compromised passwords are almost certainly in use in your network. It’s not uncommon to find between 30-80% of users are using them!
Where do we go from here? To reduce the risk of successful brute-force password attacks, you’ll need to identify any compromised passwords currently in use, fix them, and prevent the issue from reoccurring.
The good news. It’s very easy to identify compromised passwords in AD if you have the right tools. One option is the widely publicised HaveIBeenPwned from Troy Hunt. Coupled with some PowerShell scripting, you can search for over 613 million compromised passwords. The list was last updated in December 2021.
Free Tool To Find Compromised Passwords
Better yet a freeware tool. Specops Password Auditor removes the need for scripts and scans against a constantly updated list of almost 1 billion breached passwords. The findings are presented in an interactive dashboard. You’ll need to alert any users of compromised passwords to change them yourself, but the hard work of identifying them is replaced with a scan that can be set up and completed in a matter of minutes.
Preventing Weak Or Compromised Password Use Going Forward
How can we prevent this from happening again in the future? An essential step is raising awareness internally. Educate your users on the risk of compromised passwords. Mention why they should not be reusing the same passwords across systems and websites. Provide examples of what a strong password should look like. Spoiler alert. Longer is stronger and consider a passphrase using three random words making it easier to remember.
Awareness is only a piece of the puzzle as bad habits may remerge. To create a password policy, fit for today’s threat landscape, you need to be looking at third-party alternatives.
Specops Password Policy works natively within AD. The solution enforces strong passwords with passphrase support and breached password protection. Since compromised passwords are a moving target, Specops uses data used in live attacks throughout the globe to block users from selecting the same vulnerable passwords in the future.
Alongside a secure password policy and the ability to detect compromised password use, it is recommended to use two-factor authentication (2FA) as an additional fail-safe. These typically are in the form of one-time-passcodes sent to an authenticator app on your phone with the more advanced factors utilising biometrics.
If you feel there is a potential issue of compromised passwords in your business, don’t delay and run a compromised password scan first to identify the scale of the problem.
If you would like a password security expert to walk you through the process of running a vulnerability scan and/or provide a personalised demo of a secure password policy solution for your business, please get in touch.
You Might Also Read: