Breached Passwords: How to easily identify the Achilles heel in your cyber defence

The risk of a single breached password in use in your Active Directory.

Despite moves to do away with them, passwords aren't going away anytime soon and still stand firmly in your first line of defence against cyber-attacks. Allowing known breached passwords to remain in your organisation is not too dissimilar to removing the password requirement altogether, and effectively giving would-be attackers the keys to your castle.

Once authenticated, hackers can easily elevate privileges and gain further unauthorised access inside your network, becoming a greater risk to your system, employee and customer data and intellectual property. Considering damages, lost time, and potential fines, today's average cost of a data breach to an organisation exceeds £3.3 million.

The bad news is breached passwords are almost certainly being used in your organisation, and it's a bigger and more prevalent issue than you may think. The good news is, there are ways to identify them and prevent the issue from re-occurring going forward.

The breached password problem

Last year, more than 80 per cent of hacking-related breaches were due to weak and breached passwords.

Hackers commonly use brute force techniques like credential stuffing, password spraying or dictionary attacks against user accounts, using large lists of common, weak, and breached passwords acquired online. If any of your users' passwords match those on the list then without additional measures in place, the hacker is authenticated for access to your network.

A misconception here would be that this is only an issue if the credentials within your organisation had been breached themselves; however, you may or may not be surprised to learn that between 50 and 70 per cent of users reuse passwords across both personal and work accounts. The employee who likes to use the same password at work as on the insecure hobbyist forum they joined that recently got hacked is now the reason your company data is at risk.

How to find breached passwords in your organisation

One of the most widely accessible sources of breached passwords is provided by Troy Hunt's HaveIBeenPwned (HIBP) service, which to-date houses over 613 million breached passwords.

Using Active Directory (AD) in this scenario as the leading player for managing users and accounts, it is possible to check for breached passwords against an on-prem HIBP download. Bear in mind that this list exceeds 12GB and checking it can be a cumbersome process.

The UK's cyber security authority, the National Cyber Security Centre (NCSC), took further steps to consolidate this list in the top 100,000 breached passwords configured in AD. Being a smaller file this made the list easier to compare against, although significantly reduced in terms of potential matches used by hackers.

In both cases discussed here, it is important to point out that these breached password lists are not up-to-date, with HIBP last updated in November 2020 at the time of writing; therefore, many recently breached passwords that are more likely to be used in the latest attacks will not be identified against a scan of the passwords in use in your organisation.

If you're looking to automate the process, utilise a more up-to-date breached password list, and bypass the manual efforts and scripting, then this popular free Password Auditor tool is worth downloading. The tool checks your Active Directory for the use of over 750 million breached passwords, as well as identifying:

  • Accounts with passwords expiring soon
  • Accounts with expired passwords
  • Accounts with identical or blank passwords
  • Stale/inactive admin accounts
  • How your current password policy compares to other industry and compliance recommendations

Stopping breached password use in your organisation

Out of the box capability for blocking breached password use in Active Directory is slim to none,

To continuously stop breached password use in your organisation, a breached password protection service needs to be in place to block breached passwords being set at the point of creation.

Breaches occurr daily across the globe, and more and more breached password lists are being generated that hackers can leverage. For the most complete coverage you will need to consider a solution that regularly updates the breached list your Active Directory passwords are checked against. More recently, solutions have evolved to utilise live attack data in order to block breached password use, which will offer the greatest level of protection.

Check out this article for further information on evaluating breached password protection services.

Conclusion and Next steps

Hopefully your eyes have been opened to how just a single breached password in your organisation leaves you vulnerable to attack and how, regardless of the user account targeted, once authenticated an attacker can easily elevate privileges for further unauthorised access at greater risk to your network.

We have outlined methods to identify those breached passwords that may already exist in your organisation, by running scripts against a breached list or using a password auditing tool, and we have highlighted how you can stop them reoccurring via a regularly updated breached password protection solution.

In addition to these essential measures, as cyber-attacks are becoming more prevalent and sophisticated, adding a second layer of security should also be considered alongside a password. Two-factor (2FA) or multi-factor authentication (MFA) requires an additional identity verification method, which is harder to spoof than a password as it often requires something the user has physical access to, like a smartphone. Wherever there is 2FA or MFA available, anything more than just a password is a good start and should be turned on.