Many businesses are currently looking at how to bolster security across their organization as the pandemic and remote work situation continues to progress towards the end of the year. As organizations continue to implement security measures to protect business-critical data, there is an extremely important area of security that often gets overlooked – passwords.
Weak passwords have long been a security nightmare for your business. This includes reused and pwned passwords. What are these? What tools are available to help protect against their use in your environment?
Different types of dangerous passwords
There are many different types of dangerous passwords that can expose your organization to tremendous risk. One way that cybercriminals compromise environments is by making use of breached password data. This allows launching password spraying attacks on your environment.
Password spraying involves trying only a few passwords against a large number of end-users. In a password spraying attack, cybercriminals will often use databases of breached passwords, a.k.a pwned passwords, to effectively try these passwords against user accounts in your environment.
The philosophy here is that across many different organizations, users tend to think in very similar ways when it comes to creating passwords they can remember. Often passwords exposed in other breaches will be passwords that other users are using in totally different environments. This, of course, increases risk since any compromise of the password will expose not a single account but multiple accounts if used across different systems.
Pwned passwords are dangerous and can expose your organization to the risks of compromise, ransomware, and data breach threats. What types of tools are available to help discover and mitigate these types of password risks in your environment?
Tools Available to help with password security
There are a few tools available that can help with password security in your environment by way of API calls as well as utilizing cloud tools, both on-premises or in cloud environments. Let's look at a couple of these.
- "Have I Been Pwned" (HIBP) API
- Azure AD Password Protection – can be used on-premises as well
"Have I Been Pwned" (HIBP) API
The Have I Been Pwned website, operated by security expert Troy Hunt, is a valuable resource for the security community. Troy Hunt has provided a number of resources on the site that allow organizations to make use of and gain awareness of various security threats that exist on the scene today.
The HIBP site was developed in response to data breach events that often happen when user credentials are exposed over and over again with the same passwords. Using HIBP, organizations can discern if passwords in their environment have previously been exposed to data breach events.
Troy Hunt has provided an HIBP API that is freely available and allows making real-time API calls from various software applications to the HIBP API to check passwords used across multiple software forms and many other purposes. Some of the API calls and information that can be returned include the following:
- Getting all breaches for an account
- Getting all breached sites in the system
- Getting a single breached site
- Getting all data classes
Hats off to Troy for providing an excellent resource for the community that can be consumed and used freely to help bolster the security of passwords in their environments.
To properly consume the HIBP API, it does require that organizations have some development skills in-house to make use of the resource. This may be a blocker for many organizations that would like to make use of the resource.
Azure AD Password Protection
Microsoft has provided a tool called Azure AD Password Protection that detects and blocks known weak passwords and their variants. It can also block terms that are specific to your environment, such as blocking passwords that may contain the company name as an example.
The tool can also be deployed on-premises as well and uses the same lists of passwords, including global and custom banned passwords, that are configured in Azure to protect on-premises accounts. Using Azure AD Password Protection employs a mechanism that checks passwords during the password change event for a user to prevent users from configuring weak or otherwise blocked passwords.
 |
| Architectural overview of Azure AD Password Protection (image courtesy of Microsoft) |
Using the Azure AD Password Protection tool provides decent protection, over and above the default protection that you get by simply using Active Directory password policies. However, there are a number of less than desirable aspects to Azure AD Password Protection, including the following:
- It does not include breached passwords – As discussed, breached or pwned passwords are extremely dangerous. There is a chance that some in your organization are using passwords that have been exposed in a previous breach. Azure AD Password Protection has no check for these.
- Custom banned passwords have limits – The currently banned passwords can only contain 1000 words or less and must be (4) characters or more long.
- No control over end-user experience – There is no control over the message that end-users receive when a banned password is rejected with Azure AD Password Protection. They simply see the normal Windows error that the "password did not meet the requirements" error.
Easily protect against pwned passwords
Any protection that can be provided against weak passwords and certain types of banned passwords is better than the alternative of no protection above default password policies. However, there is a tool that can easily shed light on both password reuse and also pwned or breached passwords in your environment.
Specops Password Auditor is a free tool currently offered by Specopssoft that provides IT admins with the ability to scan their environment for many different types of password risks. It helps to overcome the challenges of the aforementioned tools and others that are available.
With Password Auditor, you can find:
- Blank passwords
- Breached passwords
- Identical passwords
- Expiring passwords
- Expired Passwords
- Password policies
- Admin accounts
- Password not required
- Password never expires
- Stale admin accounts
The great thing about the Specops Password Auditor tool is that it continually pulls the latest breached password lists from the Specops' online database so that you are always checking your environment with the latest security information available.
In addition, the tool is an easy Windows installation with no developer skills required to query APIs and provides great visibility to the many different forms of password risks in your environment. This allows mitigating these appropriately.
 |
| Specops Password Auditor provides real-time scans of Active Directory for reused and breached passwords |
In addition, organizations can make use of Specops Password Policy, which allows proactively mitigating password risks in the environment. Using Specops Password Policy, you can create custom and leaked password lists and password hash dictionaries based on Specops more than 2 billion leaked passwords. You can also effectively block popular character substitutions and keyboard patterns.
Concluding Thoughts
Finding breached passwords in your environment should be a priority as part of your overall security plan to bolster end-user security and protect business-critical data. While there are tools available from various sources to help find and block weak passwords, there is generally a barrier of entry to using many of those available for consumption.
Specops provides a really great combination of tools that allows effectively finding breached passwords along with proactively blocking and enforcing password policies that actively check to see if current passwords are found on lists of passwords collected from previous breaches.
By giving due attention to password security in your environment, you make the job of cybercriminals much more difficult. They will not have an easy way into your environment by finding weak passwords.
