How to audit network passwords
(Last updated on September 26, 2019)
The quality of your information security program and the hardiness of your overall network often comes down to the core element of passwords. Whether you choose to enforce strong passwords or toe the political line and not shake things up with complex password policies, any weak passwords will ultimately be uncovered – and quite possibly, used against you. That’s not the path you need to go down.
Password security is somewhat simple on the surface but can become a bit complicated as you dig in further. How do you go about uncovering those weaknesses on your network? It’s more than just vulnerability and penetration testing. Likewise, it involves more than annual password audits. There are quite a few moving parts that you must consider.
It all starts with your philosophy. That is, how you – and executive management – view passwords and their relationship with information security. Are you going to do what’s right? Are you actually doing what’s necessary? Given what’s at stake combined with the reality that passwords are often one of the weakest links in IT, you must look at passwords in a binary fashion. You either do it or you don’t. You either get behind strong passwords or you look the other way and hope that there’s not a password-related security event down the road. Not unlike diet and health, if you’re going to be truly secure, then you can’t dabble in what you know is bad for you. It must become part of your day-to-day work and business culture.
Next, you need to develop a scope and methodology that outlines the specifics of which passwords are going to be tested and how you’re going to execute your tests. You first need to decide what you’re going to evaluate. This could include local Windows passwords and Active Directory passwords. It should also branch out to other systems such as network infrastructure devices, web applications and so on – at least eventually. If you’re going to have and enforce strong password standards and policies, then it needs to be done across the board, long-term. All systems. All users. All accounts. Anything less can leave your environment exposed, creating unnecessary risks for the business.
You then must determine how you’re going to go about uncovering weak passwords that currently exist in your environment. This may involve higher level vulnerability scans, more detailed/targeted password cracking, or an all-out password audit that takes place inside Active Directory or other directory service. I have found that a combination of all three approaches can uncover the greatest number of password-related vulnerabilities. Even phishing, where you solicit user passwords via email and web forms, can serve as a complementary and fruitful addition to this testing.
You might start with vulnerability scans of your network hosts, databases, and applications. I know it sounds counterintuitive, however, running such scans with user authentication will help you uncover the greatest number of password weaknesses. This is because you’re providing the scanners an open pathway into each of the systems being tested which can help them seek out additional gaps that might not be uncovered otherwise. There are also dedicated tools for cracking passwords on network services, applications, and databases. This approach can highlight password flaws that traditional vulnerability scanners simply cannot uncover.
Moving forward, you really need to incorporate an ongoing and repeatable process for enforcing strong passwords and seeking out the weak ones that occasionally sneak into your environment. Most password checks are snapshots in time and, thus, leave a window of exposure that’s going to be hard to defend against both at the network level and once an incident and subsequent breach occurs. By having a system that truly manages your passwords, you’ll gain insight into password policy resilience and enforcement that’s both measurable and repeatable.
The important thing is that you acknowledge that passwords always have been and always will be low-hanging fruit that’s constantly being targeted. The proper approach combined with reasonable tools will allow you to uncover the risks so that they can be properly addressed. Taking this approach to passwords – and virtually anything else in the context of security – is the only sustainable means for achieving and maintaining network resilience.