When it comes to cyber security for critical business resources and data, passwords remain the most common and most favoured system of authentication by organizations around the world. Nevertheless, many individuals habitually use easy-to-remember passwords with common phrases or designations; compounding the issue, they will quite often use the same password over multiple accounts and platforms – this practise is a ticking, security timebomb.
As we highlighted in our review of the Verizon 2020 Data Breach Investigation Report, the use of stolen credentials, or hacking, sits in the number two spot for top threat action varieties in breaches, narrowly outnumbered only by phishing. Delving deeper, according to the report, over 80% of breaches involving hacking involve brute-forcing or the use of stolen credentials. Phishing and weak passwords share one thing in common – the human element. Now, the takeaway from this paper is not to present the idea that passwords or passphrases are particularly bad for defence, however, the inherently involved human element often represents a particularly trivial target for threat actors, hence an extra layer of defence, including an AD password audit, is always recommended. Let’s explain.
For organizations around the globe, Microsoft Active Directory (AD) serves as a primary source of authentication. Unfortunately, over 20 years later, the available group policy password settings remain much the same. That is twenty years for threat actors to create a solution for password cracking managed by these same settings. In 2019, with the Microsoft release of AD Password Protection, many security professionals and executives may have been lulled into a false sense of security. As helpful as AD Password Protection can be, a third-party AD password audit very often reveals some serious shortcomings to the software solution.
What is Azure AD Password Protection?
Azure AD Password Protection is an important add on to Azure AD that was designed to help fill the security gap and support organizations in the mitigation of weak passwords. Basically, Azure AD Password Protection functions as a password filter that denies commonly used, trivial, hackable passwords, including Password123, Qwerty, Abc123, Packetlabs2021! etc.
On a positive note, AD Password Protection can be extended to on-premises AD with the installation of an agent on the domain controllers and a proxy over the internal network. However, when compared to an AD password audit, there are some serious disadvantages to Azure AD Password Protection.
Azure AD Password Protection: Suitable Replacement for an AD Password Audit?
With the impacts of the COVID-19 still rippling across the globe, wave after wave, emergency work-from-home business models and strained information security departments have forced many CISOs to re-evaluate their organizations defenses. Outside of the security of the workplace network, the weaknesses surrounding the aforementioned human element in the workforce have become more important than ever before.
No Azure AD – No Password Protection: If you want the AD Password Protection feature, you will require an Azure AD subscription to enable the sync through Azure AD Connect. As well, if you want to extend the Azure AD Password Protection to on-premises AD, you will require Azure Premium subscription, at least.
Overlooked Patterns: Microsoft uses a complicated scoring method to evaluate passwords and, as a result, even recognizably weak passwords such as “P@cketlabs321!” are able to pass – this is something an AD password audit would flag immediately.
Lack of Continuity: Once a password has passed the initial screening, Microsoft will not review whether it becomes compromised in future.
Reboot Required: From a security standpoint, the installation and configuration in domain controllers can be a complicated process. Unfortunately, once the installation is complete, you must reboot all the domain controllers after each and every upgrade.
Regulatory Drawbacks: Microsoft’s “Global Banned Password List” is not a list of leaked passwords and does not fulfill compliance advice for a “password deny” list. The list does not include or update any third-party data such as ‘Have I Been Pwned’ or other known breached password lists. A major drawback is that the solution does not reference passwords that have been exposed in previous breaches, which is a specific requirement outlined in NIST’s Digital Identity Guidelines. This recommendation is intended to verify that passwords are not found in any cracking dictionaries that could make them trivial for threat actors.
If for nothing else than to underline just how imperative it is to perform an annual AD password audit, it may serve to briefly review NordPass’s list of common passwords for 2020. After analyzing 275,699,516 passwords leaked during data breaches from 2020, NordPass found that the most common passwords are painfully easy to guess – so easy, it could take less than a second or two for attackers to break into accounts using these credentials. Even more concerning, only 44% of those recorded passwords were considered “unique.” The top ten are outlined below:
Figure 1: Top 10 Weak Passwords, NordPass
The critical take home message here is that in order to defend your organization, you must consider both the human element and the ever-evolving nature of the threat landscape. Although a reasonable solution, Azure Password Protection performs relatively poorly in this regard. Remember, when it comes to security, nothing is ever static and according to all credible statistics, year over year, the human element remains your organizations greatest threat – bar none. Azure AD Password Protection should only be considered a supplement to regular AD password audit and Penetration Testing.
Packetlabs Services: AD Password Audit
As one of our core service offerings, in addition to penetration testing, Packetlabs offers a comprehensive AD password audit which involves a full-transparency review of all company passwords. From this review, your security team will be equipped with the data including overall risk level, top used passwords, top used base words, character sets, password length and more. Further, the AD password audit will compare your organizations passwords against the most up to date breach databases and provide tailored recommendations for future password management processes.