Flexible Security For Your Peace of Mind

How to audit network passwords

(Last updated on March 14, 2019)

The quality of your information security program and the hardiness of your overall network often comes down to the core element of passwords. Whether you choose to enforce strong passwords or toe the political line and not shake things up with complex password policies, any weak passwords will ultimately be uncovered – and quite possibly, used against you. That’s not the path you need to go down.

Password security is somewhat simple on the surface but can become a bit complicated as you dig in further. How do you go about uncovering those weaknesses on your network? It’s more than just vulnerability and penetration testing. Likewise, it involves more than annual password audits. There are quite a few moving parts that you must consider.

It all starts with your philosophy. That is, how you – and executive management – view passwords and their relationship with information security. Are you going to do what’s right? Are you actually doing what’s necessary? Given what’s at stake combined with the reality that passwords are often one of the weakest links in IT, you must look at passwords in a binary fashion. You either do it or you don’t. You either get behind strong passwords or you look the other way and hope that there’s not a password-related security event down the road. Not unlike diet and health, if you’re going to be truly secure, then you can’t dabble in what you know is bad for you. It must become part of your day-to-day work and business culture.

Next, you need to develop a scope and methodology that outlines the specifics of which passwords are going to be tested and how you’re going to execute your tests. You first need to decide what you’re going to evaluate. This could include local Windows passwords and Active Directory passwords. It should also branch out to other systems such as network infrastructure devices, web applications and so on – at least eventually. If you’re going to have and enforce strong password standards and policies, then it needs to be done across the board, long-term. All systems. All users. All accounts. Anything less can leave your environment exposed, creating unnecessary risks for the business.

You then must determine how you’re going to go about uncovering weak passwords that currently exist in your environment. This may involve higher level vulnerability scans, more detailed/targeted password cracking, or an all-out password audit that takes place inside Active Directory or other directory service. I have found that a combination of all three approaches can uncover the greatest number of password-related vulnerabilities. Even phishing, where you solicit user passwords via email and web forms, can serve as a complementary and fruitful addition to this testing.

You might start with vulnerability scans of your network hosts, databases, and applications. I know it sounds counterintuitive, however, running such scans with user authentication will help you uncover the greatest number of password weaknesses. This is because you’re providing the scanners an open pathway into each of the systems being tested which can help them seek out additional gaps that might not be uncovered otherwise. There are also dedicated tools for cracking passwords on network services, applications, and databases. This approach can highlight password flaws that traditional vulnerability scanners simply cannot uncover.

Moving forward, you really need to incorporate an ongoing and repeatable process for enforcing strong passwords and seeking out the weak ones that occasionally sneak into your environment. Most password checks are snapshots in time and, thus, leave a window of exposure that’s going to be hard to defend against both at the network level and once an incident and subsequent breach occurs. By having a system that truly manages your passwords, you’ll gain insight into password policy resilience and enforcement that’s both measurable and repeatable.

The important thing is that you acknowledge that passwords always have been and always will be low-hanging fruit that’s constantly being targeted. The proper approach combined with reasonable tools will allow you to uncover the risks so that they can be properly addressed. Taking this approach to passwords – and virtually anything else in the context of security – is the only sustainable means for achieving and maintaining network resilience.

  • Was this Helpful ?
  • Yes   No

Tags:

>

Written by

Kevin Beaver

Kevin Beaver is an independent information security consultant, writer, professional speaker, and expert witness with Atlanta-based Principle Logic, LLC. With over three decades of experience in the industry, Kevin performs security assessments and consulting work to help businesses uncheck the boxes that keep creating a false sense of security. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. Kevin can be reached at his website www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.

More Articles
Back to Blog

Related Articles

  • Best practice tips for your password policy

    Many organizations have yet to craft an effective password policy – the policy says one thing, but something very different is taking place on the network. Is your current approach to passwords adequate?

    Read More
  • Bad password – all it takes to break down the walls

    You’ve done your fair share of penetration tests and you have likely come across this scenario – you captured a password for a client system and the next thing you know, you were able to gain full administrative access to their entire Windows network! The password was Summer2016. Weak? Yes! However, it complied with the…

    Read More
  • Passwords are the biggest threat to GDPR compliance

    Data protection authorities have imposed their first GDPR fine in Germany after a local chat service exposed 330,000 credentials. What will be the consequence of the Collections leak that impacts 2.2 billion usernames & passwords?

    Read More

© 2019 Specops Software. All rights reserved. Privacy and Data Policy