AD Password Reuse and Hygiene


Why AD Password Reuse and AD Password Hygiene Issues Are Critical for Organizations

Active Directory Password Protection (ADPP) is one of the most crucial security capabilities of Scirge, because the vast majority of successful breaches happen due to compromised credentials. Also, the default password hygiene capabilities, such as password complexity checks built into Active Directory, are quite limited and don’t provide the granularity that organizations require. Scirge provides web and Active Directory (AD/LDAP) password hygiene checks and password reuse detection in a completely transparent way without any user interaction and zero to minimal backend infrastructure integration needs.

Multi-factor authentication (MFA) is not a silver bullet against credential-related threats like password reuse or account takeover. Even though Microsoft and other LDAP services may provide MFA solutions, passwords are always one of the factors and once any factor gets compromised, MFA is reduced to a single factor. Also, the password is the most convenient fallback option in case a new device is being onboarded, or a hardware token is lost. There are many services that are not prepared to support MFA; hence passwords must be used on these services.

The primary attack vector for ransomware, and one of the prime targets of phishing emails is passwords, and it is ultimately AD accounts. It’s no wonder account takeovers using stolen credentials are among the top attack vectors leading to high-impact campaigns. Due to password reuse and account takeover attacks, organizations keep falling victims to breaches that cost millions, without attackers exploiting any code for the initial remote access. This is especially true if an employee reuses the corporate credentials on third-party cloud web services and SaaS apps – one of the major risks of Shadow IT. For adversaries, it’s easier to breach these third-parties, or just look for already breached data online or on the dark web forums than to go against the published resources of the organizations directly.

How to steer clear of compromised and reused Active Directory passwords.

Unfortunately, there are no magic pills. It takes several steps and thinking outside the box. This is Scirge in four steps:

  1. The first step is to make sure that AD passwords comply with common sense password strength, and are not easy to guess. When Active Directory passwords are used to authenticate in the browser for an AD-integrated service, we immediately check for complexity issues based on granular rules that go beyond Active Directory’s capabilities for complexity. For instance, it lacks the basic ability to block sequential or repeating characters such as ‘qwerty’, ‘abcd’ or ‘aaaa’ within passwords.
  2. But a strong password is not yet a safe one if it has been reused multiple times. Even researchers sometimes ponder how credentials were stolen before a given breach, but one thing is for certain: they must come from the user that created it somehow. It could be a malware-infected endpoint or a successful phishing attack, or a breached third-party website, where the same email/password combo was used. Once employees start using a strong Active Directory password, it is a natural bad habit to reuse them multiple times, after all it is deemed as secure by the organization, it must be great everywhere else, right? When an AD password gets reused in different web apps, it will eventually get breached along with the email address used in Active Directory. So, checking against known breach databases is the second step we must do immediately to prevent breaches resulting from insecure credentials. As a sidenote, reusing corporate Active Directory passwords in private accounts is even scarier, as it is so simple to correlate private and business emails with vast amounts of social data available. Scirge also provides a way to work around this issue, while maintaining employee privacy.
  3. But can we go beyond and be proactive? Yes, we can, and we should. Scirge is able to detect securely and transparently when an employee reuses the corporate Active Directory password in the cloud in a SaaS app or in any cloud-based web service – be it Shadow IT or a sanctioned app. Employees and relevant IT personnel can be warned immediately, and a password reset can be triggered automatically, so when that third-party gets breached eventually, those passwords or password hashes will be worthless. This is the single and most important step in preventing corporate Active Directory password breaches. Don’t let passwords be reused online, educate employees and detect when a corporate AD password reuse happens, because once it is out there, all control is lost over its life cycle. Essentially, when an AD password is used anywhere outside of its legitimate scope, it should be considered breached immediately.
  4. As third-party accounts are not managed by IT departments, employees need to revisit them to create their individual password hygiene. Scirge warns and educates employees about always using unique and strong passwords, and also gives exact feedback about which accounts they should reset due to reuse, or perhaps also setting an expiry routine of changing online passwords every year or two. Thus, the final step is employee education and awareness. Because no control is complete without vigilant and capable employees, it’s our mission to help educate people about risks and best practices. We do this via in-browser notifications and follow-ups via emails, SMS or any other preferred channel. This is to make sure that good behavior becomes a good habit for all employees./li>

Read our related blog posts: