This summary stems from a brief conversation within a peer circle. A parallax perspective on the issue of passwords. 

Most IT organisations have an IT Security policy, which defines the required password parameters for an organisation.  Active Directory provides a method to enforce the password parameters, from their complexity and length to the frequency that they must be changed. 

Once a company’s password policy is understood and required parameters are known, internally bad practice can set in and this is not necessarily limited to the end users, IT can equally be at fault.  For example the service desk may create all new user or service accounts with the same common password.  Password1234$$ or Welcome2015! 

So what has this got to do with hacking your own Active Directory? 

Using one of the numerous Active Directory password cracking tools on the internet, you can analyse (crack the easy ones) the passwords stored in Active Directory and produce a list of the most common passwords.

These common passwords can then be cross referenced to their owners and with a little bit of mathematics, it is possible to deduce that perhaps with 10 passwords, 70 % of all systems can be accessed, not only is this a rather frightening metric, but this is reality and one attack vector for anyone with access to a domain controller. 

This is not a simple problem to fix with the current architecture of Active Directory, but with small process changes and education around the use of common passwords the percentage of systems that could be accessed or compromised may be reduced. 

 

Posted by markparris

Microsoft MVP - Enterprise mobility.

2 Comments

  1. Let’s not even talk about Service Accounts, Stale Accounts, Bulk or Shared Accounts. Then BYOD and Enterprise internet via WiFi on a Corp Network to keep the CxOs happy…

    Reply

  2. Thank you for posting this awesome article. I’m reading your blog since a long time already but I
    never compelled to leave a comment. I registered your blog in my rss feed and shared it on my Facebook.
    Thanks again for this great post!

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s