Many Internet users use the same password for multiple accounts. If the passwords are stolen from one online service, many of the user’s other accesses are at risk. This can also affect the Active Directory (AD) in the company. Learn how to prevent the dangerous use of compromised passwords in AD.
Convenience compromises security
When it comes to passwords, many Internet users in Germany tend to focus on convenience rather than security. More than one in three online users (36 percent) use the same password for several online services, according to the results of a representative survey by the digital association Bitkom. Yet the number of unreported cases of users compromising password security is probably much higher.
“A single password for several online services is a major security risk,” says Teresa Ritter, Bitkom expert for IT security. “Once such a universal password is cracked, cybercriminals can take over several users’ digital identities at once.”
Unfortunately, that’s exactly what happens: large quantities of passwords are stolen from online services, and almost every day a new data leak becomes known that allows passwords to be accessed by third parties. For example, at the end of February 2020, AnimeGame had an incident where email addresses and passwords were captured. Almost 1.5 million user accounts were affected.
If the affected users also used the stolen passwords for other services and even in AD, these accesses are also at risk. This applies to any data leak where passwords are affected.
Regulators warn of compromised passwords
For many years now, “stolen” account credentials have been published or sold time and again. In many cases, this is facilitated by passwords that are not sufficiently secure, warned, for example, the Bavarian State Commissioner for Data Protection, Prof. Dr. Thomas Petri.
“Just imagine in concrete terms what it would mean for you personally if your data fell into someone else’s hands because of insecure, easily cracked passwords,” Petri said. “As a result, sensitive data could also be affected, such as bank account details or private chat content.”
Authentication by username and password for both devices and services constitutes a technical and organizational measure under Article 32 of the General Data Protection Regulation (GDPR), explains the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg.
Secure authentication of users is a building block for ensuring the confidentiality, integrity, and availability of data, systems and services in the long term. If responsible parties implement inadequate technical and organizational measures, they may be subject to fines by the competent supervisory authority for data protection.
Stolen passwords can be detected and blocked
Many recent data breaches are the result of compromised passwords. Unfortunately, built-in Active Directory policies do not prevent users from making poor password decisions.
The Specops Password Policy solution, on the other hand, rejects all compromised passwords during a password change in Active Directory. The Active Directory Password Blacklisting Tool provides cloud access to a centralized list of compromised passwords, which Specops keeps up to date and of which an offline version is also available.
Blacklist Complete allows users’ passwords to be validated online against a list of 2 billion compromised passwords. Using Blacklist Express, it is also possible to validate offline against a list of 1 billion compromised passwords after downloading the blacklist.
Blacklist Express can prevent a user from changing their password to a compromised password. The next time the user attempts to log in, they will be forced to choose a different, non-compromised password. Additionally, Blacklist Complete can notify the user via email or SMS about the necessary password change. This way, compromised passwords are banned from AD.
What about the AD in your own company
If you want to check the password security in your own AD, you can also test it for free. The Specops Password Auditor detects security gaps that are specifically related to password settings.
The evaluation of passwords does not require an Internet connection after the blacklist database has been downloaded.
By scanning Active Directory, the tool collects and displays several interactive reports with user and password policy information. The “Blacklisted Passwords” report finds user accounts with passwords known to be compromised. Specops Password Auditor thus makes it possible to measure the effectiveness of policies against an attack with compromised passwords.