Effortless Password Audits

Paul Price

01 November 2018

Passwords. They are the keys to our digital kingdoms. And these days most organisations will have security controls in place, such as 2 Factor Authentication, to complement the traditional password and help prevent credential stuffing attacks. (sidenote: did you know that 2FA deployed on your Exchange server can be effortlessly bypassed?)

But that doesn't mean we can lax the rules around passwords. They still play a huge part in protecting our data. According to the Verizon 2017 Data Breach Investigations Report 81% of hacking-related data breaches involve leveraging stolen and/or weak passwords.

And yet I see time and time again organisations enabling "complex" password composition rules and be done with it. But these rules don't go far enough. Passwords such as Passw0rd, London18 and Qwerty123 would meet most organisations complexity requirements, and would be amongst the first attempted in a brute-force attack. When conducting security audits I still regularly see passwords containing the company name or office address, i.e.Acme2018 or 17StationRoad.

This is why you should be auditing your passwords. They can provide invaluable insight into understanding the security awareness levels of your staff. A large number of users with weak and predictable passwords can suggest cultural issues, inadequate training, and even identify staff with low levels of engagement — something you can begin to fix.

Effortless Audits

The cracking process of a password audit is always going to be the largest limiting factor in terms of time. You don't need to crack all passwords - just the weak ones - and sometimes cracking on your local machine is sufficient enough. For larger organisations, it's easy enough to spin up an Amazon's AWS GPU instance. The p2.16xlarge with 16 GPUs, for example, can work through 130702 MILLION PASSWORDS PER SECOND. Even then it can take a few days to crack upwards of 90%.

You then need to analyse the passwords and determine if they are good or bad. And who wants to manually analyse 1000s of passwords, pick out interesting statistics and create various reports?

To make this process less painful, I have developed a tool called cracke-dit (“Cracked It”) – free and open-source for all – that directly extracts passwords from a Windows Domain Controller, analyse them, and output the data in various different formats. For example, you can produce a password cloud in seconds:

Passwords for acme.local\

A sample output of cracke-dit can be found at the bottom of this post.

Passwords are scored based on complexity using Dropbox's zxcvbn algorithm, where 0 is a bad password and 4 is a good password. To get an idea on how unique users passwords are, they are also checked against Have I Been Pwned, using k-Anonymity to ensure passwords are kept secure.

You can then begin to develop training programmes to improve your staff's password hygiene and general security awareness.

Securing Passwords

One of the golden rules I've learned from my programming background is to never trust user input. The same applies to passwords and you should plan for them to be compromised at some point. Here are 5 things you should be doing:

  1. Ensure wherever a password is used externally, it has adequate security controls in place such as rate limiting and 2 Factor Authentication. Take into account other factors such as login time, geographical location, and IP address and deny login attempts if it falls outside of the user's usual pattern.
  2. Teach your users what a good password looks like (hint: a long passphrase). Why is it important? Show examples of good and bad passwords. Make sure this advice is embedded within your induction programme for new joiners.
  3. Gradually increase the minimum password length requirement to a minimum of 10, ideally 12, characters. Longer passwords increase entropy, which means they are (generally) more secure. Consider rolling out a password manager and adequate training to help with this.
  4. Audit passwords monthly (or at least quarterly) to identify training needs for users who are still struggling to create strong passwords. Reward staff who are creating better passwords.
  5. Stop forcing users to reset their password every X days. Yes, it reduces risk but at great cost. Research suggests this leads to users creating weaker passwords over time. Only force users to reset passwords if you believe they have been compromised.

cracke-dit sample output

cracke-dit report for acme.local

Local / Domain users: 4/191
Enabled / disabled users: 186/9
Computer accounts: 2 1.02%
Passwords cracked: 84/197 42.64%
Historic passwords: 0 0.00%

Password composition
Only alphanumeric: 69 35.03%
Only digits: 0 0.00%
With 'special char': 15 7.61%

Top 10 Passwords (by use, score)
Password Length Count Score Pwned Users
Porsche2016 11 2 1 1 acme.local\alika.reamy, acme.local\charlene.pietro
Bollocks35 10 2 1 0 acme.local\eden.theobald, acme.local\tami.priscella
Amanda175 9 2 0 0 acme.local\bernelle.farman, acme.local\lanna.menken
Rasputin2016 12 1 2 0 acme.local\colline.davon
Dragoon2016 11 1 2 0 acme.local\kattie.duff
Prophet2016 11 1 2 0 acme.local\sharia.ramey
Bounce2016 10 1 2 0 acme.local\lauretta.cyn
Groove2016 10 1 2 2 acme.local\shena.fernas
Passwords2016 13 1 1 0 acme.local\cheslie.codd
Godzilla2016 12 1 1 0 acme.local\lenna.mun
Top 10 Worst Passwords (by score, length)
Password Length Count Score Pwned Users
Admiral! 8 1 0 4 acme.local\kimberlyn.wilmott
Beavis24 8 1 0 8 acme.local\leoine.kristi
Bigmac44 8 1 0 8 acme.local\denna.bartel
Briana48 8 1 0 0 acme.local\evangelin.adeline
Casino45 8 1 0 13 acme.local\beverley.donaldson
Chipper! 8 1 0 3 acme.local\janella.popelka
College! 8 1 0 39 acme.local\minny.kinghorn
Connie23! 8 1 0 11 acme.local\glynda.geller
Daniel96 8 1 0 343 acme.local\marlie.maurilla
Ddddddd6 8 1 0 6 acme.local\lanita.marte

Password length distribution
8: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ 32 (16.24%)
9: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ 25 (12.69%)
10: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ 15 (7.61%)
11: ▇▇▇▇▇▇▇ 7 (3.55%)
12: ▇▇▇▇ 4 (2.03%)
13: ▇ 1 (0.51%)

EOF

Share your thoughts