Are Compromised Passwords Putting Your Company At Risk?

Brought to you by SpecOps

Passwords have been around for a long time. Today, they are used as the primary authentication method to log in to a computer, network, or website. The computer password is a little over 60 years old. If you think about how much the IT threat landscape has changed in those 60 years, you may (or may not) be surprised at how little password security behaviour has changed.  

Human behaviour is predictable, and that behaviour is evident in the passwords we create. We use familiar terms, and if we’re forced to add complexity, we use l33t speak, or add an exclamation at the end. When asked to change the password, we increment it by one each time. We then use that same password across multiple systems.      

Why is this an issue?   These same passwords are being used by employees to access company data. Anytime there is a data breach, compromised passwords are sold on the dark web, and then used against company networks in password spray attacks. Access can be gained within seconds; starting with a lesser privileged account, and elevated once inside the network. It should be no surprise that lost or stolen credentials equate to over 80% of hacking-related breaches in recent years (Verizon). 

For almost 20 years Microsoft Active Directory (AD) has been the primary means for authentication in a Windows domain network. Sadly, the function of its password policy does little to fix the issue at hand. Third-party alternatives need to be part of the solution. If you haven’t gone down that route, compromised passwords are almost certainly in use in your network. It’s not uncommon to find between 30-80% of users are using them!    

Where do we go from here?   To reduce the risk of successful brute-force password attacks, you’ll need to identify any compromised passwords currently in use, fix them, and prevent the issue from reoccurring.  

The good news.    It’s very easy to identify compromised passwords in AD if you have the right tools. One option is the widely publicised HaveIBeenPwned from Troy Hunt. Coupled with some PowerShell scripting, you can search for over 613 million compromised passwords. The list was last updated in December 2021. 

Free Tool To Find Compromised Passwords  

Better yet a freeware tool.   Specops Password Auditor removes the need for scripts and scans against a constantly updated list of almost 1 billion breached passwords. The findings are presented in an interactive dashboard. You’ll need to alert any users of compromised passwords to change them yourself, but the hard work of identifying them is replaced with a scan that can be set up and completed in a matter of minutes. 

Preventing Weak Or Compromised Password Use Going Forward 

How can we prevent this from happening again in the future? An essential step is raising awareness internally. Educate your users on the risk of compromised passwords. Mention why they should not be reusing the same passwords across systems and websites. Provide examples of what a strong password should look like. Spoiler alert. Longer is stronger and consider a passphrase using three random words making it easier to remember.  

Awareness is only a piece of the puzzle as bad habits may remerge. To create a password policy, fit for today’s threat landscape, you need to be looking at third-party alternatives.

Specops Password Policy works natively within AD. The solution enforces strong passwords with passphrase support and breached password protection. Since compromised passwords are a moving target, Specops uses data used in live attacks throughout the globe to block users from selecting  the same vulnerable passwords in the future.   

Alongside a secure password policy and the ability to detect compromised password use, it is recommended to use two-factor authentication (2FA) as an additional fail-safe. These typically are in the form of one-time-passcodes sent to an authenticator app on your phone with the more advanced factors utilising biometrics.  

If you feel there is a potential issue of compromised passwords in your business, don’t delay and run a compromised password scan first to identify the scale of the problem.

If you would like a password security expert to walk you through the process of running a vulnerability scan and/or provide a personalised demo of a secure password policy solution for your business, please get in touch.

You Might Also Read: 

123456 Is Not A Password:

 

« The Challenges Of Moving To Zero Trust
How Long Does It Take Before An Attack Is Detected? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

WEBINAR: 2024 and Beyond: Top Six Cloud Security Trends

April 4, 2024 | 11:00 AM PT: Join this webinar to find out about six emerging trends dominating the cloud cybersecurity landscape.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

Rambus Security Division

Rambus Security Division

Rambus Security Division solutions span areas including tamper resistance, content protection, network security, mobile payment, smart ticketing, and trusted provisioning services.

Aeriandi

Aeriandi

Aeriandi is a leading provider of hosted PCI security compliance solutions for call centres, trusted by high street banks and major Telcos.

DNV

DNV

DNV are the independent expert in assurance and risk management. We deliver world-renowned testing, certification and technical advisory services.

Referentia

Referentia

Referentia leads the development of critical infrastructure solutions that benefit society, including cyber security and network performance management.

Ignyte Assurance Platform

Ignyte Assurance Platform

Ignyte Assurance Platform™ is a leader in collaborative security and integrated GRC solutions for global corporations in Healthcare, Defense, and Technology.

42Gears

42Gears

42Gears is a leading Unified Endpoint Management provider. Secure, monitor and manage tablets, phones, desktops and wearables.

Cycode

Cycode

Cycode is the industry’s first source code control, detection, and response platform.

German Accelerator

German Accelerator

German Accelerator supports high-potential German startups in successfully entering the U.S. and Southeast Asian markets.

SecureThings

SecureThings

SecureThings focus is to provide guidance and technology to secure connected vehicles in order to build end-to-end security for the automotive industry.

NeuVector

NeuVector

NeuVector, the leader in Full Lifecycle Container Security, delivers uncompromising end-to-end security from DevOps vulnerability protection to complete protection in production.

GoVanguard

GoVanguard

GoVanguard is an boutique information security team delivering robust, business-focused information security solutions.

Ross & Baruzzini

Ross & Baruzzini

Ross & Baruzzini delivers integrated technology, consulting, and engineering solutions for safe, sustainable, and resilient facilities.

LAVAAT

LAVAAT

At LAAVAT, our goal is to make it easy for our customers to build secure IoT devices without a need to invest considerably in embedded security and cryptography expertise.

Secfix

Secfix

Secfix helps companies get secure and compliant in weeks instead of months. We are on a mission to automate security and compliance for small and medium-sized businesses.

Galvanick

Galvanick

Galvanick enables your operations and IT teams to protect your industrial systems and networks against digital threats.

Pistachio

Pistachio

Pistachio is the new evolution of cybersecurity awareness training and attack simulations.