Bad password – all it takes to break down the walls
(Last updated on November 29, 2018)
You’ve done your fair share of penetration tests and you have likely come across this scenario – you captured a password for a client system and the next thing you know, you were able to gain full administrative access to their entire Windows network!
The password was Summer2016. Weak? Yes! However, it complied with the Windows default password policy. Windows’s default password policy with complexity turned on requires a minimum of eight characters, and three of the following character types – lowercase letters, uppercase letters, numbers, special and Unicode. Passwords that also meet the above complexity requirements are Password1, Hello123 and Welcome1. If your client thinks these passwords are sufficient to protect their environment, then Houston we have a problem.
The 2015 Global Security Report by Trustwave, which sampled more than 500,000 passwords, revealed that 77 percent of hacked passwords complied with the password complexity settings in Windows default password policy. The report further suggests that 38 percent of passwords are only eight characters long, which can be brute force cracked in less than a day.
If your client is using Windows default password policy or Fine Grained Password Policies, it’s advised that they turn to a third-party solution to take password policy security to the next level. Specops Password Policy provides additional functionality not available in Windows default or Fine Grained Password Policies, such as:
- Disallow partial or full usernames in passwords, consecutive characters, common characters at the beginning or end of passwords, and incremental passwords
- Passphrase support
- Disallow dictionary words and any passwords from a leaked password list
Dictionary attacks succeed because passwords often include complete or partial dictionary words. Banning common passwords is a must and recommended by both Microsoft and NIST. Not only should organizations ban dictionary lists, but also update them every three to six months to include newly leaked plain text passwords, and password hashes. If you’re worried that forbidding common words would have a negative impact on usability – don’t be. Specops Password Policy support passphrases and can be configured to have less stringent complexity rules if the password exceeds a certain number of characters. Specops Password Policy works seamlessly with Active Directory and plugs into Group Policy. Don’t let your clients wait for a breach to get serious about password security. They can start their free 30-day Specops Password Policy trial here.
Longer passwords are stronger passwords. It really is just math. The comic below shows the value. Stronger passwords are harder to crack and easier to remember. They increase security while improving end-user productivity and satisfaction. The following image is from XKCD (http://xkcd.com/936/): Specops Password Policy and Specops Password Reset Specops Password Policy (SPP) has been…Read More
It seems like a month has not gone by without news about cyber-attacks. In the past few months we have witnessed high-profile cyber-attacks on Adobe, eBay, and Target that have exposed millions of records. This graphic shows you the biggest American data breaches from all causes, including hacking since 2004. Large corporations are not the…Read More
And the saga continues. Every month it seems, there is a new hacking scandal being publicized. Whether it’s a massive password leak or an email server being hacked, this type of news coverage almost seems to be on a continuous loop. With the root of many of these attacks resulting from an exploited password vulnerability,…Read More