Audit Weak Passwords

To enable SSO, many organisations expose their ADFS proxy servers to the internet. These ADFS proxies can be used to brute force domain accounts. Based on your lockout policies, this will lockout users. But what if someone tries only a few attempts per day to ensure that the accounts are not locked out. 

Users will choose passwords that will conform with your password policy but which are easy to remember. In a recent password audit using the DSInternals powershell module, I found that some of the most common passwords that meet the password policy can be easily guessed. 

The standard password policy which requires three of the following four requirements is pretty common - 

• uppercase 
• lowercase
• number
• special character
• minimum 8 characters

Passwords such as Winter17, Summer17, Monday01, Monday02 conform to the above policy. These are also very easy to guess. The ones I found most common are Monday##. This could be because most users start their employment on a Monday and its easy to increment the last number whenever you need to change the password next. The other common passwords are a variation of the initial password that the service desk may set. Unless the service desk uses some random password and you have a mechanism to stop such easy passwords, expect users to use them. 

Your awareness sessions may talk about passphrases or similar options to create longer passwords which are easy the remember and difficult to guess. It may help a handful of users who read the newsletter and like the idea. For the others, auditing the accounts regularly and letting users know that they are using poor passwords is the only option. 

Some things that you should do before you go down the path the password cracking - 

• Make sure you have permission to do this activity
• Figure out what you intend to do once you discover weak passwords - do you have a standard email template to use? 
• Raise the awareness or ensure you have first sent out information on how to create strong passwords or turn on MFA if that is an option. Its easier to point users to this information later.
• If you can use tools like DSInternals to crack passwords on the network then others can as well (if they have the right permissions). Can you detect when someone uses tools like these? See what events are generated on your DC when you run these tools and then make sure you have alerts whenever these events occur.

There was a specific need for the initial password audit, but seeing how common weak passwords are, I think its prudent to do this activity regularly.