How to Check for Breached Passwords in Active Directory

Written by

As is now evident, 2019 was the worst year on record for data breaches – the number of records exposed grew by 284% compared to 2018. According to the RiskBased Security 2019 Year End Report, there were 7098 breaches reported with over 15.1 billion records exposed in 2019. The report identifies emails and passwords as the most compromised data.

Issues with compromised passwords have been brought to the forefront during the COVID-19 pandemic. Earlier this year, news broke that 500,000 of Zoom’s usernames and passwords were exposed on the Dark Web. Cyber-criminals used compromised credentials from past breaches in a credential stuffing attack against Zoom. The successful logins were then compiled into lists to be sold online. What is worrying is that these passwords are being reused for other systems and could be used to infiltrate more data, causing a domino effect.

The consequences of a breach can include the compromise of sensitive information, brand damage and financial losses. You also risk non-compliance with NIST, NCSC and ICO which advise organizations to use a regularly updated blacklist of common and compromised passwords to protect against new threats. This is why it is so important, now more than ever, to check for leaked passwords in Active Directory.

Password Leak Check in Active Directory

Use the Have I Been Pwned? (HIBP) list: the much publicized HIBP list contains more than 500 million leaked passwords today. Troy Hunt built this collection using real-world data – the passwords were either exposed in breaches or stolen. While the list can be downloaded and checked against your existing AD credentials, it won’t provide your organization with continuous protection – which means you have to re-check user AD accounts whenever there’s a new addition to HIBP, and regularly check any changed Active Directory passwords against the existing list.

Use a Free Password Auditing Tool

This free password auditing tool scans your Active Directory and detects security related weaknesses. You can then extract these key insights:

  • Accounts using known breached passwords
  • Accounts with passwords expiring soon
  • Accounts with expired passwords
  • Accounts with identical or blank passwords
  • Stale/inactive admin accounts
  • How your current password policy compares to other industry and compliance recommendations

Block Out Leaked Passwords at Creation

The easiest way to keep leaked passwords out of your Active Directory is to prevent them from being created in the first place. You can do so by using a password blacklist which should include a list of commonly used and stolen passwords. Some people build password blacklists on their own using leaked passwords from previous breaches or incorporate readily available lists such as the NCSC’s top100,000 most common passwords. Others simply use a password blacklisting service that is continuously updated. Password blacklists vary widely in size, anywhere from only a few dozen common passwords to billions of compromised passwords. Ultimately, your organization will have to decide what number strikes the right balance between improving security and avoiding user frustration.

Add a Second Layer of Security

Even if you regularly scan for leaked passwords or use a password blacklist, user accounts protected only by passwords can still be compromised. Besides credential stuffing, there are other methods to compromise passwords such as phishing, malware and device thefts. Two-factor authentication (2FA) requires a second form of identity verification, along with a password. The second factor is harder to spoof than a password as it often requires something the user has physical access to such as a hardware token or a smart phone with a code. 2FA provides a second layer of protection when user passwords are compromised and should be turned on wherever it is available.

What’s hot on Infosecurity Magazine?