Passwords are commonly one of the biggest weaknesses we find when performing a penetration test. It seems that no matter what password policy you have in place, users will still use Comany123, Spring2019, or a keyboard pattern for their password. An attacker can easily guess these and gain access to sensitive resources or even your internal network via VPN, if these resources are not protected with multi-factor authentication. What makes this problem more difficult for IT professionals, is that they are often unaware of their organization’s risks associated with passwords. Short of performing password attacks or audits themselves, there’s no visibility into what passwords their users are choosing (and in most cases, you don’t want your IT admins having access to all those passwords anyway). Triaxiom Security offer a password database audit as a way for organizations to quantify and understand their risk related to passwords. In this blog, we will explore password database audits and some of the benefits they can provide.
What is a Password Database Audit?
A password database audit is an audit of the current password strength of your organization and your resiliency to password attacks. To perform this assessment, Triaxiom will work with you to get a copy of your NTDS.dit file for your Active Directory environment. This is a file on the domain controller that contains the hashed passwords for every domain user. Triaxiom will then take these passwords offline and perform a myriad of different password attacks to try to determine what percentage of passwords can be cracked. Check out our blog on the various types of password attacks to understand a bit more about this process. Finally, Triaxiom will take the cracked passwords and perform statistical analysis against them, letting you know what percentage of passwords contain the same base word, what the deviation in password length is, etc.
Why Perform a Password Database Audit?
As mentioned, a password database audit is designed to quantify the risk of passwords in your organization. Some of the key benefits include:
- Getting an understanding of password lengths – If 48% of your employees use an 8 character password, Triaxiom (or an attacker) would be able to brute force (by trying every combination of characters) all of those in less than 48 hours. This might be a good justification to take to management to increase the password policy in your organization. Trying to get management buy-in on a 14 character minimum length for all passwords can be difficult, but armed with the right data, this may be an easier sell.
- Get organizational buy-in for multi-factor authentication – Similar to the password length point above, it can be hard to justify the expenditure for rolling out multi-factor authentication across the organization. However, armed with the data that Triaxiom was able to crack 80% of the passwords for all domain accounts, management can better understand the risk, and therefore, are more likely to buy-in to the justification.
- Understand help-desk shortfalls – A lot of the times, we’ll uncover that the same password (Password123!) is used an abnormally high amount. Most of the time, this originates from the help desk. They are setting new employee passwords and/or resetting employee passwords to the same value and may not be requiring them to change the password after initial login.
- Understanding the base words your employees are using – Most weak passwords are built from a base word or proper noun and then may have some numbers or symbols scattered throughout. This may be Company123!, Comp@ny!, or CompanyRocks!. Our password database audit will tell you what percentage of passwords are using base words. Then you can implement a password black-list that prohibits users from having the word “Company” in their password, for example.
- Better security awareness training – One of our favorite offerings is security awareness training. One thing we’ve observed when conducting security awareness training is that people honestly do not know how to choose a strong password. People are under the misconception that by adding complexity (i.e. replacing all ‘a’ with ‘@’) they are preventing attackers from cracking their password. We recommend using the stats from your password database audit as part of your awareness training and taking some time to teach your employees how to create a password that is hard to crack, but easy to remember.
Password database audits have a number of obvious and not-so-obvious benefits associated with them that can help elevate your organization’s security program. From helping garner management buy-in for new security implementations or configuration changes to more adequately training your users, this often-overlooked security assessment can have a big return on investment. If you have any question, or if you are ready to get started, reach out to us here!