Password audits have become more difficult. New data breaches expose credentials every day. These are quickly fed into hackers’ cracking dictionaries, changing which passwords you need to keep out.
Verizon’s DBIR found 81% of data breaches were caused by compromised, weak, and reused passwords. Traditional algorithmic complexity rules are no longer considered a key factor in password strength. NIST password guidelines want you to screen for commonly used and compromised passwords.
How can you determine the number of compromised, weak, and reused passwords being used in your organization today? How can you assess your risk from compromised credentials?
Enzoic is pleased to make a free password audit solution available, Enzoic for Active Directory Lite, to help organizations quantify their risk from unsafe passwords in just a few minutes.
A Modern Password Audit
A modern password policy (and therefore a password audit) must screen for commonly used and compromised passwords
Enzoic for Active Directory Lite applies this approach with a free audit of your Active Directory. The audit evaluates your users’ passwords against Enzoic’s proprietary database of 7+ billion vulnerable passwords. Where the audit can find matches, your plaintext passwords would be knowable to attackers.
Discovering Your Vulnerable Accounts
Enzoic’s password database is updated every day with the latest breaches and cracking dictionaries circulating on the dark web. This is done using a combination of human and automated intelligence.
This data is available for any organization with Windows Active Directory to freely use for their risk assessments.
Finding your vulnerable accounts begins by running Enzoic for Active Directory Lite from any 64-Bit Windows Client or Server with a Domain Admin level account. There is no configuration or setup required.
Enzoic’s entire cloud database is compared with each users’ account. This is done using a secure, partial hash comparison to avoid password hashes ever leaving your environment. The process is highly optimized, scanning several thousand users in just a few minutes.
The results identify individual user accounts that have 1) Compromised passwords found in data breaches circulated on the Internet, 2) Weak passwords found in cracking dictionaries used by hackers, and 3) Reused passwords duplicated across your domain.
The audit results display a summary and exportable details listing the specific user accounts and their vulnerability status. The process should be repeated regularly since a password considered safe today can become vulnerable at any time.
Start today by understanding your risk with a password audit using Enzoic for Active Directory Lite.
Next Steps Against Password Vulnerabilities
As an audit tool, Enzoic for Active Directory Lite makes it easy for organizations to get a quick snapshot of their domain’s password security state against the latest breaches and cracking dictionaries. It provides a great baseline for assessing password vulnerability.
The next level of compromised credentials protection should consider:
- How to check passwords at creation/reset. Checking against the most current password database should be built into your Active Directory password policy.
- How to continuously monitor passwords. The process for identifying vulnerable passwords should not be time-based. Action should be triggered when any individual password becomes compromised.
- How to automate remediation. Appropriate notifications and actions to require password reset should ideally be fully automated. This helps reduce burden on IT Staff and ensure timely, consistent risk mitigation.
- How to personalize blacklisted passwords. Passwords should consider users’: a) previous password selections, b) Active Directory fields such as username, and c) various organization specific words. Variations should also be blocked based on predictable transformations, substitutions and appended values. These techniques thwart methods used by persistent attackers and also align with NIST guidelines.
Organizations can solve for each of the above using the full Enzoic for Active Directory solution.