Passwords continue to be an issue for organizations as users use weak or breached passwords. Just recently, the Canada Revenue Agency (CRA) had a credential stuffing attack used against it in an attempt to gain access to 5,500 CRA accounts; some of the attempts were successful. As more credentials are disclosed in new breaches, the attacks against passwords will continue to rise as the pool of breached credentials give attackers more attempts to gain unauthorized access to accounts.

The probability of your employee using an identical or weak password for their personal accounts and your corporate ones may be higher than you think. However, there are solutions that can prevent this.

Web Application

Other than manually checking each password against a known list (e.g., blocking the top 1000 passwords), there is a free API solution by the creator of haveibeenpwned that allows you to limit the passwords accepted within your web application. It checks the inputted password against half a billion passwords that were previously breached in a unique and secure way, as described below.

Once the password check is completed, you can either educate your user but allow the password change, or force the user to select a stronger password that has not been breached.

Active Directory

To prevent users from using weak or breached passwords during a reset or account creation, SpecOps Software released a password policy tool that plugs into your Active Directory. It includes three controls to ensure passwords are as strong as they can be:

  1. Blocks weak passwords by checking previous breaches. Additionally, allows for the creation of a custom blacklist (e.g., Covid2020!)
  2. Allows for compliance driven templates to ensure compliance with NIST, SANS or PCI
  3. Blocks common character types at the beginning or end of passwords

More information can be found at https://specopssoft.com/product/specops-password-policy/#block-weak-passwords.

Active Directory Audit

An Active Directory Audit will assess all the passwords within your active directory for any deviances in your password policy. Service accounts that never change their passwords would only be picked up by this type of audit. If the previous solution requires months of planning to deploy, the jump to an audit can be done immediately. We also recommend doing an audit even if the previous solution is deployed to ensure the controls are working as intended.

Completing the audit requires obtaining specific files from the domain controller (e.g., NTDS.dit and SYSTEM files) and using them to obtain hashes. We won’t get into the specifics but the general process involves obtaining and cracking hashes to uncover cleartext passwords. The cracking is dependent on the hardware used to crack, but generally, the weak passwords are cracked within seconds (e.g., mutations of password, welcome, spring, summer, fall, winter). Once the passwords are cracked, analysis can be done to provide value to the exercise. For example, at Packetlabs we use Pipal, which when run on the cracked passwords can provide the following information:

Top 10 passwords Top 10 base words Password length (count ordered) Password format
  • welcome = 68 (15.38%)
  • test = 38 (8.6%)
  • summer = 20 (4.52%)
  • winter = 8 (1.81%)
  • password = 6 (1.36%)
  • fall = 6 (1.36%)
  • covid = 5 (1.13%)
  • spring = 4 (0.9%)
  • king = 4 (0.9%)
  • company = 4 (0.9%)
  • Password1! = 36 (8.14%)
  • Welcome13 = 20 (4.52%)
  • Welcome14 = 12 (2.71%)
  • Summer2018 = 9 (2.04%)
  • Welcome12 = 8 (1.81%)
  • Welcome11 = 6 (1.36%)
  • Welcome09 = 5 (1.13%)
  • Summer2019 = 5 (1.13%)
  • Fall2018!! = 5 (1.13%)
  • Welcome08 = 3 (0.68%)
  • 10 = 139 (31.45%)
  • 11 = 73 (16.52%)
  • 9 = 67 (15.16%)
  • 8 = 60 (13.57%)
  • 12 = 42 (9.5%)
  • 13 = 31 (7.01%)
  • 14 = 11 (2.49%)
  • 17 = 5 (1.13%)
  • 20 = 5 (1.13%)
  • 15 = 3 (0.68%)
  • 16 = 2 (0.45%)
  • 18 = 2 (0.45%)
  • 19 = 1 (0.23%)
  • 21 = 1 (0.23%)
  • One to six characters = 0 (0.0%)
  • One to eight characters = 60 (13.57’%)
  • More than eight characters = 382 (86.43%)
  • Only lowercase alpha = 0 (0.0%)
  • Only uppercase alpha = 0 (0.0%)
  • Only alpha = 0 (0.0%)
  • Only numeric = 0 (0.0%)
  • First capital last symbol = 139 (31.45%)
  • First capital last number = 249 (56.33%)
  • Single digit on the end = 46 (10.41%)
  • Two digits on the end = 93 (21.04%)
  • Three digits on the end = 23 (5.2%)
Last number Last 4 digits Character sets Character set ordering
  • 0 = 14 (3.17%)
  • 1 = 43 (9.73%)
  • 2 = 24 (5.43%)
  • 3 = 47 (10.63%)
  • 4 = 20 (4.52%)
  • 5 = 9 (2.04%)
  • 6 = 16 (3.62%)
  • 7 = 14 (3.17%)
  • 8 = 44 (9.95%)
  • 9 = 28 (6.33%)
  • 2018 = 29 (6.56%)
  • 2019 = 11 (2.49%)
  • 2009 = 3 (0.68%)
  • 2345 = 3 (0.68%)
  • 3456 = 3 (0.68%)
  • 2025 = 2 (0.45%)
  • 2006 = 2 (0.45%)
  • 2000 = 2 (0.45%)
  • 1990 = 2 (0.45%)
  • 2007 = 1 (0.23%)
  • mixedalphanum: 234 (52.94%)
  • mixedalphaspecialnum: 187 (42.31%)
  • mixedalphaspecial: 2 (0.45%)
  • stringdigit: 205 (46.38%)
  • othermask: 197 (44.57%)
  • stringspecialdigit: 27 (6.11%)
  • stringdigitstring: 8 (1.81%)
  • digitstring: 3 (0.68%)
  • stringspecialstring: 1 (0.23%)
  • stringspecial: 1 (0.23%)

The top 10 passwords are common among the audits we conduct and always come as a surprise to the clients when they receive the findings. The passwords are compliant with their password policy (e.g., length, capital letter, number, special character) but yet are easy to guess.

The need for all three of these solutions will ensure proper password controls are deployed across your web applications and end-user systems. If this is a service your organization is looking for or would like additional information about, please contact us.