Uncover the Default Passwords Lurking in Your Active Directory

Written by

Default passwords are a major security vulnerability for businesses, when in use they are leveraged as an entry point for attacks and can allow unauthorized access to systems and sensitive data. In this article, we will explain how this issue presents itself within Active Directory, how you can find default passwords in your organization and what steps you can take to secure your environment going forward.

What are default passwords and why are they a security concern?

Default passwords usually come with a security warning. When hard-coded by manufacturers into devices, they are a well-publicized source of entry by cybercriminals when they remain unchanged. Little is discussed however when this applies to default passwords used within Active Directory and the security risk they pose.

Many companies automate the process of creating new user accounts in Active Directory but it has been discovered that this creates a problem of multiple users having the same default password. In addition to this, where users have multiple accounts, such as an admin account and a regular user account, they often use the same password for both, the obvious reason is it is easier to remember but of course, it is also less secure.

When these users (and users in general) are required to change their passwords, they often only make small changes to their existing passwords that still satisfy the default Microsoft complexity requirements, such as incrementing the number at the end by one or adding an exclamation mark.

For example, if the default password set is Companyname1!, it is not uncommon when the password is changed by the user, they would change it to Companyname2!

This predictable user behavior is an obvious security concern, not only due to the ease of guessing the new passwords but also because duplicate passwords remain in the system.

How to find default passwords in Active Directory

So, how do we find duplicate and default passwords in Active Directory? One of the leading tools to simplify this process is Specops Password Auditor, a free, read-only tool that can be set up to scan for vulnerabilities within minutes.

While this tool doesn't crack passwords, it does reveal which of your users have duplicate passwords. You can then create a new account with a default password and run a report to determine if any other accounts are using the same password.

This report is also useful for identifying service accounts with identical passwords and administrators who use the same password for both privileged and unprivileged accounts.

Offering more than just detecting default passwords, you can also use it to identify accounts that haven't changed their passwords in a while, stale accounts, expired passwords, blank passwords, or passwords that are known to have been compromised.

Preventing the problem from reoccurring

Moving away from setting default passwords for new users and setting strong, unique passwords from the offset is an advisable first step. Security awareness training is also a big piece of the puzzle, but combined with technical controls is the ideal preventative process. Going forward you want to ensure weak, reused, incremented or compromised passwords are prevented. Helping your users set unique, stronger and longer passwords is simplified by leveraging a third-party password policy tool.

Default passwords and common terms can automatically be blocked by using a custom dictionary and compromised credentials can be prevented from being set. Specops Password Policy provides this functionality with a continuously updated compromised password database of over 3 billion passwords which is worth exploring further.  

If you find any default passwords in your AD environment, it is important to change them as soon as possible. For peace of mind going forward, you can test out Specops Password Policy in your Active Directory for free. Alternatively, run a free password vulnerability scan to see if the problem currently exists in your network too.

What’s hot on Infosecurity Magazine?