How to Prevent Pwned and Reused Passwords in Your Active Directory

Many companies are currently considering how to increase security within their organisations as the pandemic and telework situation develops towards the end of the year. While companies continue to implement security measures to protect critical business data, there is one area of critical security that is often overlooked: Passwords.

Weak passwords have long been a nightmare for your business. This includes the re-use and reversal of passwords. What’s that? What tools are available to protect against their use in your environment?

Miscellaneous types of dangerous passwords

There are many types of dangerous passwords that can jeopardize your organization. One of the ways in which attackers can compromise the environment is by using cracked passwords. This can be used to spray a password on your environment.

When passwords are sprayed, only a few passwords are tested against a large number of end users. In a password spraying attack, attackers often use databases with cracked passwords, also known as fake passwords, to effectively try these passwords against user accounts in your environment.

The philosophy here is that in many organizations, users tend to think very similar when it comes to creating passwords that they can remember. Often passwords opened by other breakthroughs are passwords used by other users in totally different environments. This of course increases the risk, because any compromise of the password endangers several accounts, not just one, if they are used in different systems.

Falling passwords are dangerous and can jeopardize your organization through compromise, blackmail and hacking. What tools are available to identify and mitigate the risks associated with the use of passwords in your environment?

Tools available to assist with password protection

There are several tools that can help secure passwords in your environment, both with API calls and cloud computing tools, both indoors and outdoors. Let’s take a look at some of them.

  • I have the API.
  • Azure AD password protection – can also be used on the site

Was I chased (HIBP) API

Led by security expert Troy Hunt, the Have I Been Pwned website is a valuable resource for the security community. Troy Hunt has made available on its website a number of tools that enable organizations to use and obtain information about the various security threats that exist today.

The BIBP site was developed in response to data breaches that often occur when user accounts are opened again and again with the same passwords. By using HIBP, organizations can determine whether passwords in their environment have ever been subject to data breaches.

Troy Hunt has provided a freely available HIBP API that allows real-time calls to the HIBP API from different software applications to validate passwords used in different software applications and for many other purposes. The API calls and the information that can be returned are as follows

  • Receive all violations for the account
  • Receive all violated pages in the system
  • Receiving a chopped area
  • Recovery of all data classes

Hats off to Troy, because this is a great resource for the community that can be freely consumed and used to strengthen the security of passwords in their environment.

In order to use the HIBP API correctly, organizations must have certain development skills within the organization in order to use this resource. This can be a bottleneck for many organizations that want to use the resource.

Password protection AD Azure

Microsoft has provided a tool called Azure AD Password Protection that detects and blocks known weak passwords and their variants. It can also block specific terms for your environment, such as the blocking of passwords, which may contain the name of a company, for example.

The tool can also be deployed locally and uses the same password lists, including global and user-defined passwords configured in Azure to protect local accounts. When using Azure AD Password Protection, a mechanism is used to verify passwords when changing a user’s password to avoid setting weak or otherwise blocked passwords.

Overview of the Azure AD Password Protection Architecture (image provided by Microsoft)

Using the Azure AD password protection tool provides decent protection that goes beyond the standard protection you get by simply using the Active Directory password policy. However, password protection of the azure AD has a number of less desirable aspects, including the following:

  • It doesn’t understand cracked passwords – As mentioned above, cracked or crashed passwords are extremely dangerous. Some members of your organization may use passwords that have been released during a previous violation. Azure AD Password Protection doesn’t check them.
  • Prohibited passwords have limits – Currently, prohibited passwords can have a maximum length of 1000 words and must be (4) characters long.
  • Lack of control over end users – Lack of control over the message that end users receive when password protection is denied with Azure AD password protection. You will only notice a common Windows error, namely that the password did not meet the requirements.

Simple password reversal protection

Any protection that can be offered against weak passwords and certain types of forbidden passwords is better than the alternative No protection against standard password policies. However, there is a tool that can easily shed light on the reuse of passwords and on passwords that have been implanted or cracked in your environment.

Specops Password Auditor is a free tool currently offered by Specopssoft that allows IT administrators to analyze their environment for many types of password risks. It helps to overcome the problems related to the above and other available instruments.

With the password check you can find out the following

  • Empty passwords
  • Cracked passwords
  • Identical passwords
  • Expired passwords
  • Late passwords
  • Password policy
  • Management accounts
  • No password is required.
  • The password never expires.
  • frozen accounts

The best thing about the Specops Password Auditor is that it constantly retrieves the latest lists of cracked passwords from the online database of Specops, so that you can always check your environment for the most recent security information available.

What’s more, the tool is a simple Windows installation without the development skills needed to query the API, and provides an excellent overview of the many forms of password risks in your environment. This makes it possible to make them more flexible accordingly.

Specops Password Auditor provides real-time Active Directory scanning for reusing and cracking passwords

In addition, organizations can make use of the Specops password policy, which proactively reduces the chance of passwords in the environment. Specops password policy allows you to create custom and lost password lists and hash dictionaries for passwords based on Specops; more than 2 billion lost passwords. You can also effectively block the most common character replacements and keyboard layouts.

Final reflection

Finding hacked passwords in your environment should be a priority in your overall security plan to strengthen end-user security and protect your critical data. While there are tools available from various sources to find and block weak passwords, there is generally a barrier to using many of these passwords for consumption.

Specops really offers a great combination of tools that allow you to effectively find hacked passwords while proactively blocking and enforcing password policies that actively search for current passwords in password lists collected from previous hacker attacks.

If you pay the necessary attention to password security in your environment, you will make life much more difficult for cyber criminals. They can’t just invade your environment by finding weak passwords.


Related Tags:

password blacklist examples,active directory password blacklist dll,specops nist,how to use a password dictionary,dictionary based password,active directory prevent common passwords,active directory banned passwords,active directory password screening,active directory weak password checker,list of banned password,most common active directory passwords,block common passwords,azure ad smart lockout best practices,active directory password dictionary check