How to find default passwords in Active Directory
What causes identical or default passwords in Active Directory, and how can you find them?
A lot of organizations script the creation of new user accounts to standardize, simplify, and speed up the process. Unfortunately, this can also leave users with the same default password in Active Directory.
Another problem that we frequently see is that users with multiple accounts, e.g. an admin/elevated account and a regular user account, use the same password for both accounts, so that they don’t need to remember more than one password. Even if they are eventually forced to change their passwords, they are not very original, and generally increment the existing one. For example, if their initial password was Summer2020 and they were forced to change it 90 days later you can pretty much guarantee that someone will change it to Autumn2020, or if it was a yearly expiry – Summer2021.
Another scenario that we see regularly is that many service accounts have been given the same password, even though it might be a long, or strong one. While admins should know better, they are only human. As such, we face a potentially huge security issue, especially as these accounts tend to run critical systems, are usually elevated in some way, and typically are set to never expire (and sometimes never to lock out).
I think you can see where I’m going with this!
So, wouldn’t it be good to see who has the same password in your AD? At least then we’d be able to tell if there was a problem to fix (there probably will be).
As the user’s passwords are hashed, this isn’t something we can easily do with native tools, and it’s not very practical (or secure), to go and ask people what their passwords are!
So Specops has the answer for you in Specops Password Auditor or SPA as we call it.
Specops Password Auditor is a great FREE tool that can produce reports about all sorts of things related to your users AD passwords.
First of all, IT DOES NOT CRACK PASSWORDS!
It does look at all the publicly (any authenticated user) available information in your domain e.g. the password policies that you have in place, the expiry times that are set, and so on. If you are running it with a Doman Admin level account, it has the ability to compare the NTHash of every password, and display the users that have the same one set, and if any of those users are elevated accounts (and also the ones that have been previously leaked, but that’s another story!).
So, what does this Identical Password report look like?
You need to run SPA on a Windows Machine that is joined to the domain you want to query, so don’t run it in the root domain and expect to see the results of a child domain. After you install Specops Password Auditor, open it with a domain admin level account, if you run it with a lesser account you won’t see this report. Import the license file that you will have received via email when you signed up for the free download. Choose a DC that is local to the machine you are running the tool against (do not choose one over a WAN connection – it will timeout) and click Start.
You can also use SPA to check your users’ passwords against a database of 730+ million leaked passwords. Even if you don’t want that report. we still need to download the files to run the Identical password check, so make sure you have 5GB of space and download the Breached Password Database to a local Directory e.g. C:\temp\SPA.
Let it do its thing… This only takes a few seconds if you have a chosen a local DC. And click Show Result.
We can see that we have, in total, 87 users that have the same password with as a least one other user in the domain. Let’s drill down a bit further for the details.
So here we can see that our 87 users are split into groups of who’s got the same password. We can see in this example that there are 24 people with the same password in one group but 28, including someone with a Domain Admin level account, in another! Let’s click Details.
This view provides the Display name, SamAccount Name, OU Location, Last Logon date/time, Admin status and which password policy is being applied to that account. You can also export this data to a CSV file if you want to manipulate it e.g. maybe run a script against it.
As we can see some of these users have never logged in, so they are usually the accounts that have been freshly created using a user creation script/process.
We can also see some user and admin accounts that have the same password e.g. vuser and vadmin, this usually means that the user has set the same password for both their accounts – go have a word with these users immediately!
Finally, notice that there is a service account (or 4!) in there meaning you might have some either really unlucky admins who just happened to set the same password or that maybe they were a little lacking in originality when those services were installed.
Either way lots of good info to get your teeth into and help close some of those security gaps.
Of course, if you wanted to make sure that passwords between various accounts were different you could enforce different password policies on administrators, users, or service accounts. To do this, you could use Fine Grain Password Policy, but that doesn’t really give you a lot of options apart from making some longer than others. If you would like true control, take a look at Specops Password Policy, or book a demo with us and we can show you the difference we can make.
(Last updated on January 18, 2021)