Bad password – all it takes to break down the walls
(Last updated on January 10, 2017)
You’ve done your fair share of penetration tests and you have likely come across this scenario – you captured a password for a client system and the next thing you know, you were able to gain full administrative access to their entire Windows network!
The password was Summer2016. Weak? Yes! However, it complied with the Windows default password policy. Windows’s default password policy with complexity turned on requires a minimum of eight characters, and three of the following character types – lowercase letters, uppercase letters, numbers, special and Unicode. Passwords that also meet the above complexity requirements are Password1, Hello123 and Welcome1. If your client thinks these passwords are sufficient to protect their environment, then Houston we have a problem.
The 2015 Global Security Report by Trustwave, which sampled more than 500,000 passwords, revealed that 77 percent of hacked passwords complied with the password complexity settings in Windows default password policy. The report further suggests that 38 percent of passwords are only eight characters long, which can be brute force cracked in less than a day.
If your client is using Windows default password policy or Fine Grained Password Policies, it’s advised that they turn to a third-party solution to take password policy security to the next level. Specops Password Policy provides additional functionality not available in Windows default or Fine Grained Password Policies, such as:
- Disallow partial or full usernames in passwords, consecutive characters, common characters at the beginning or end of passwords, and incremental passwords
- Passphrase support
- Disallow dictionary words and any passwords from a leaked password list
Dictionary attacks succeed because passwords often include complete or partial dictionary words. Banning common passwords is a must and recommended by both Microsoft and NIST. Not only should organizations ban dictionary lists, but also update them every three to six months to include newly leaked plain text passwords, and password hashes. If you’re worried that forbidding common words would have a negative impact on usability – don’t be. Specops Password Policy support passphrases and can be configured to have less stringent complexity rules if the password exceeds a certain number of characters. Specops Password Policy works seamlessly with Active Directory and plugs into Group Policy. Don’t let your clients wait for a breach to get serious about password security. They can start their free 30-day Specops Password Policy trial here.