How to protect your data from password lists
Without Active Directory password screening, users are free to choose and use vulnerable passwords. In a password attack, this means that any password list can be systematically entered to break into business accounts.
Hackers have access to username and password combinations from multiple breaches. The Collection #1-5 mega leak, for example, gives them access to a dataset of 2+ billion records. A single breach can open the door to other systems anytime a leaked or vulnerable password is reused across services and accounts.
Hackers are not the only ones who can take advantage of a password list. Organizations can stop the ripple effect by using the same password files to block vulnerable passwords in their organization. In practice, Active Directory password screening means banning breached passwords by checking new passwords against the same password lists available to hackers. This prevents users from using passwords that are susceptible various attacks.
What you need to know about password attacks
Organizations use many security controls to decrease their attack surface against password-related threats. Unfortunately, even with advanced password policy settings, Active Directory remains vulnerable.
Hackers have always targeted end-users because they are thought to be the weakest link. Their tactics prey on human interaction, where they trick users into breaking standard security practices. Now, armed with a never-ending collection of credential data, they are banking on user predictability and password reuse.
In addition to carefully crafting phishing emails, and cycling through millions of random password permutations in a brute force attack, hackers can also employ a list of high-probability passwords. The passwords can be generated with popular composition patterns, such as character substitutions (P@$$w0rd), and common keyboard patterns (qwerty123). If the attack is aimed at a specific organization, they will create a password list using words relevant to the organization, including name, location, services, relevant acronyms, or even local sports teams. With a finite and targeted number of guesses, they can hijack the account without triggering a lockout.
For more information about this hacking method, see What is a Password Dictionary Attack?
NIST password screening
When it comes to password security, users can’t seem to deviate from predictable patterns. The National Institute of Standards and Technology (NIST) addresses this in their Digital Identity Guidelines. Instead of blaming password predictability on users, NIST requires more of the authentication systems people use. For many organizations, this can mean Active Directory password screening.
As credentials exposed in one breach can open the door to other systems, NIST requires screening prospective passwords against a list of leaked passwords. If a match is found, the password shouldn’t be allowed. The recommendation is shared with other compliance bodies including the National Cyber Security Centre in the UK.
In addition to banning breached passwords, NIST recommends getting rid of other common practices that hinder user experience. For example, don’t force users to change their password unless there is evidence of compromise. For more information about the recommendations, see our summary of the NIST password guidelines.
NIST Special Publication 800-63B Section 188.8.131.52: When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised.
The 2012 Dropbox breach was the result of password reuse – a Dropbox employee’s corporate account was reused on LinkedIn (which was obtained via another breach).
Why a password list is important
Until recently, stolen passwords were sold on the dark web for thousands of dollars. Now they are available for free, in plain-text, and billions strong. This means that anyone can break into an account by manually testing a leaked username and password against online logins. Alternatively, they could use a list of common passwords and test against random usernames in the hopes that someone in the organization is using a weak password. In response, organizations need to block the same passwords for their users – or risk data exposure.
You can enhance your password settings by not only blocking leaked passwords, but also high-probability passwords within your organization. Active Directory password screening allows you to relax policy requirements such as character complexity, and expiration periods, while maintaining your desired level of security.
It takes a single leaked password to create risk and potential compromise. While a limited password list of 1000 passwords offer some protection, a larger list will consider billions of passwords, some of which are considered weak solely because they can be found on a leaked password list.
Blocking billions of leaked passwords in your organization can be a manual process. To stay protected against new threats, organizations will need to continually grow and update their list. A third-party password screening service can simplify the process of managing the list of leaked passwords. With the service protecting your organization from leaked passwords, you can focus on building a custom dictionary to cover more targeted attacks.
A custom dictionary should include passwords relevant to your organization – anything containing company name, locations, services, industry terms, and any relevant acronyms. With the right solution in place, you can apply additional settings to ensure users cannot bypass the dictionary with predictable patterns, such as character substitution, the password in reverse, or even adding a number or exclamation mark to the end of the password. For more information, see our Best practices for configuring a custom dictionary.
Specops Password Policy includes an Active Directory password screening service with a continuously updated list of vulnerable passwords. The list contains billions of passwords from major breach incidents, including the Collection leak, and the Have I Been Pwned list compiled by security expert Troy Hunt. During a password change in Active Directory, the service will block and notify users if the password they have chosen is found in a list of leaked passwords. Specops Password Policy makes it easy to keep out vulnerable passwords, and comply with the latest password guidelines.