Most organisations have Active Directory at the heart of their IT infrastructure, and most breaches involve weak passwords, making protecting Active Directory passwords crucial for organisational cyber defence.
This is according to speakers in a webinar on password security hosted by cyber security distributor Solid8 Technologies in partnership with Specops Software – an Outpost24 company – and ITWeb.
Shantanu Srivastava, Head of Global Channels at Outpost24, said: “The password problem is massive. Active Directory is at the heart of the IT infrastructure for over 90% of organisations, with over 500 million active accounts, and 95 million of those accounts under attack every single day. These attacks might include brute force attacks, social engineering, phishing or leveraging leaked lists, and AI is compounding this problem.”
He noted that over 80% of breaches involve brute force attacks or lost and stolen credentials. Adding to the risk was the fact that over 70% of employees re-use their personal passwords at work.
Julien Berteraut, VP of Sales EMEA at Specops Software, said: “Technology advances have significantly reduced the time needed for attackers to crack passwords. At the same time, billions of breached passwords are readily available to attackers. It takes just one weak or compromised password to create risk for the organisation.”
He said best practices to mitigate risk included protecting against brute force password guessing by throttling the rate of attempts, locking devices after more than 10 unsuccessful attempts and multi-factor authentication. Technical controls to manage the quality of passwords should include setting minimum password lengths of at least 12 characters and blocking of common passwords using a deny list. Organisations should also educate users and support them in creating unique passwords for work accounts, and should have established processes in place to change passwords promptly if they know or suspect a password or account has been compromised.
Darren James, Senior Product Manager at Outpost24, demonstrated how Specops Password Auditor helps organisations mitigate password risk. Password Auditor is available as a free version with a database over over a billion breached passwords, and as a paid-for version with over 4.5 billion breached passwords.
Specops Password Auditor allows organisations to audit Active Directory and gain an easy-to-understand view of password-related risks. It checks user accounts and passwords against a database of vulnerable passwords obtained from data breach leaks and also audits the environment for stale or inactive privileged administrator accounts, expired passwords, identical passwords and blank passwords. The Password Auditor assesses the domain password policies against industry standards, cyber security and privacy regulations such as NIST, CJIS, NCSC, ANSSI, CNIL, HITRUST and PCI.
James said: “The Password Auditor can be run completely offline and reports can be exported to a pdf, outlining all the risks and how the organisation can address them.
"However, it doesn’t solve the problem of users creating weak passwords. Many organisations find more than 30% of users have breached passwords, while some find that up to 80% of their employees use breached passwords. In some cases, users may also have identical passwords for multiple accounts. We see password re-use even among admins – for their user account and admin account. It’s not a technical problem – it’s a human problem.”
He demonstrated how Specops Password Policy enables organisations to apply the right password policies to the right people, allowing them to strengthen passwords by choosing between passwords and pass phrases, or making password expiration a rule, based on the length of the passwords or pass phrases. It also features an interface to help users create stronger passwords or pass phrases.
To learn more, visit https://www.solid8.co.za/specops.
To use the free Specops Password Auditor, go to https://specopssoft.com/product/specops-password-auditor/.
Share