The Danger of Weak Passwords in Your Active Directory

Though nearly 90% of organizations use Active Directory (AD), almost all companies struggle to secure it amid a barrage of attacks by cybercriminals targeting the critical data it handles. One of the issues organizations are yet to target effectively is weak active directory passwords. 

Active directory passwords act as the front door lock for large amounts of sensitive corporate data. According to a report, in 2021, two billion records containing usernames and passwords got compromised, an increase of 35% compared to 2020. That is why we at Packetlabs insist that companies regularly check for breached passwords.

What is an Active Directory(AD)?

An active directory is a set of services and a database that allows users to connect to various corporate resources. This Microsoft proprietary directory service runs on top of the Windows server. It permits the administrators to manage permissions and privileges to sensitive data and other network resources. Active directory passwords are the first line of defence against any cyber threat. 

A robust active directory password with security measures like multi-factor authentication is necessary. If an attacker compromises the password of the active directory admin account, they can change the access privileges or steal sensitive corporate data and damage the organization's business and reputation. 

For instance, this report found that Shopify uses weak password policies in their customer-facing website segments. Because of this, Shopify customers could set five-character-length passwords. Specops researchers found that 99.7% of Shopify users’ passwords (one billion) were breached. They found that most breached passwords adhered to the minimum password requirement policy.

The danger of the weak active directory passwords

Since an active directory provides a cluster of services to access sensitive corporate resources, organizations should take proactive measures to secure active directory accounts. According to a recent study by Hive Systems, weak passwords, whether in PCs or any other directory services, can cost a lot to the business. The study also found the approximate amount of time a brute force password cracking will take with varying levels of length and complexities. According to them, a password length of five characters can be cracked instantly by various brute force tools.  

Apart from the danger of account compromise, having a weak password policy also leads to complex problems like regulatory compliance. Further, every company that accepts credit card payments must adhere to the official PCI Security Standards while doing business. That is why popular security consultancy companies push enterprises and their clients to audit their policies and check for breached passwords.

Start fixing IT security internally to avoid Active Directory attacks

Since cybercriminals target active directory passwords to breach and steal sensitive data or network resources, e-commerce companies are the most affected. The most obvious recommendation is to recognize the minimum password length. Also, from regulatory compliance and security standpoint, passwords should be long and complex. Since the active directory uses Microsoft servers, Windows operating systems within the server will include account policy settings. It can help the admins determine and control the password length and complexity requirements.

• Learn more about password security

How to protect your organization's network from password breaches and attacks

1. Penetration testing and security auditing: Organizations should hire third-party security and consultancy companies to conduct a pentest and check for breached passwords and vulnerabilities in the active directory or other network systems that attackers can compromise.

2. A strong password is a must: Enterprises should embrace the policy of keeping robust passwords comprising 12 to 16 characters containing uppercase, lowercase, symbols, and numbers. Enterprises should also add the criteria that passwords should not be meaningful or any word selected from the dictionary. This step will protect the passwords from dictionary attacks.

3. Set up policies for customer-facing web services: Enterprises should hire security experts to set up account policy settings where the admin, with security experts, will determine the password length and complexities.

4. Add multi-factor authentication (MFA): Multi-factor authentication adds another layer of security to your active directory and network admin accounts. Enterprises should enable MFA that will leverage one-time passwords, magic links, biometric authentication, or hardware tokens in addition to passwords. According to Microsoft, including MFA can prevent 99.9% of cyberattacks.

5. Continuous monitoring: Network security professionals should continuously monitor any abnormal behaviour or patterns within the accounts. This way, they can easily detect internal and external threats within the organization's network.

Conclusion

We hope this article has given you a better idea about why strong Active Directory passwords are necessary. In order to avoid a situation like the one at Shopify, implementing strong password policies in the first place will help.