Would a password attack be successful against your network? Here’s how to find out…

A hacker can gain access to a network within seconds with a brute-force password attack if weak or compromised passwords are in use. Ignoring this is like leaving your front door open when you go out.

 

The bad news is it’s highly likely your users actually are using weak or compromised passwords. The good news is that they can easily be identified, and you can block these passwords from being used in the future.

 

The computer password recently turned 60 years old, yet for most users today their passwords haven’t really changed with the times. This isn’t entirely their fault. Out-of-the-box password requirements are simply not up to the task of protecting against today’s sophisticated threat landscape.

 

With some of the most high-profile cyber-security incidents of the past two years involving passwords, this is no trivial matter. It’s imperative that organisations implement password policies sufficient to block weak or compromised passwords, and use additional methods such as two-factor authentication (2FA) for additional fallback security.

 

Audit to identify password vulnerabilities in your organisation

 

There is more than one way to audit for compromised passwords. You can check via a RESTful service with HIBP’s list of 613 million breached passwords (last updated December 2021), or run a PowerShell cmdlet against a downloaded file of your choice (such as NCSC’s Top 100k). These methods have their drawbacks due to the time and resources required, but also security implications as the lists quickly become outdated. More work is required to identify additional password vulnerabilities such as inactive accounts or duplicate or blank passwords.

 

Using an automated and dynamic tool to check for password vulnerabilities in your environment is even better.

This free password auditing tool from Specops simplifies the process as it scans your Active Directory within minutes and identifies security-related weaknesses that include:

• Any accounts using known breached passwords compared against a list of almost 1 billion
• Accounts with expired passwords or passwords expiring soon
• Accounts with identical or blank passwords
• Stale/inactive admin accounts
• Comparing your current password policy to other industry and compliance recommendations

 

A quick heads up: it’s not uncommon to find that anywhere between 20 to 80 per cent of users with compromised passwords. After completing the audit, you’ll likely have several key takeaways to remedy, and the users with compromised passwords will need to be contacted to set about changing them.

 

Reduce the risk of reoccurrence in the future

 

History, as the saying goes, repeats itself. What we see with passwords is that its human nature to follow patterns when choosing passwords, such as password reuse, incremental passwords or using leetspeak.

 

Password best practice today emphasises length over complexity as longer passwords are harder to crack (check out NCSC’s #thinkrandom campaign for an introduction). However, alerting users of the importance of strong passwords will not offer the ongoing protection required. Technical controls are needed.

 

Microsoft’s password policy tools have struggled to keep up with the latest regulatory compliance requirements from bodies such as NIST and NCSC’s Cyber Essentials, particularly with custom dictionaries and the blocking of compromised passwords.

 

Third-party password policy tools are today essential for complete protection. These tools are also more versatile, user-friendly and feature-rich.

 

Tools such as Specops Password Policy support passphrases help users create stronger passwords they can remember, protect against the latest compromised passwords (including those being used in live attacks happening right now) and deliver informative end-user messaging throughout the password creation process.

 

Would a password attack be successful against your network?

 

If you audit and block compromised passwords, have a strong password policy in place and use additional authentication methods alongside, you’re covered. It’s very unlikely a password attack would be successful. If you’ve not ticked all those boxes, at least you now know what you need to do to prevent them.

 

---

 

We recommend starting with an audit. Download your free copy of Specops Password Auditor here.