Humans, though they may be slow but they are expert at beating all kinds of smart systems eventually : ). IMO, users like to keep simple to remember and yet complex passwords. As a security ninja with star darts, of your organization, the last thing that you want to happen would be a user account getting compromised because he kept his password as “Password21”

You may have complex active directory password policy enabled along with minimum password length, bad password count, account lockout duration, and conservative security practices, etc. and yet you may fail Active Directory Password Audit for weak passwords.

This is where Active Directory audit for weak passwords helps and implement security measures that discourage or even disallow use of easily guessable complex passwords.

Now you can use the Geek way or Freak way of doing the weak password audit. We will discuss about both the methods.

Active Directory Complex Password Policy States

Password must meet complexity requirements

This security setting determines whether passwords must meet complexity requirements.

If this policy is enabled, passwords must meet the following minimum requirements:

Not contain the user's account name or parts of the user's full name that exceed two consecutive characters
Be at least six characters in length
Contain characters from three of the following four categories:
English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)
Complexity requirements are enforced when passwords are changed or created.

……

The First Method

We will use Thycotic Weak Password Finder. You can register to download from here.

Prerequisites

The tool runs only on 64bit machines with Windows 7 and Server 2008 R2 or later OS. It requires .Net 4.5 framework.

You need “Replicating Directory Changes” permissions. The above link contains information on how to grant the permissions. Alternatively, you may use domain admin rights. The tool non-intrusive and reads password hashes, then it leverage a password list file that contains of weak passwords, easily guessable passwords, pattern based passwords and passwords from previous breaches.

It has roughly 100 thousand such passwords in password.txt file (which is human readable) against which it matches your AD password hashes.

  • Start the Thycotic weak password finder and specify the domain name and domain controller.

Active Directory Weak Password Audit

  • Specify the credentials. Make sure you have sufficient rights to read the password hashes from the AD.

Weak Password Finder

  • Finally, Start the scan.

Active Directory Password Audit

Given the number of user accounts & passwords it has to compare, the scan may take sometime to complete.

The report that comes out, contains,

  1. users who are using weak passwords,
  2. users whose password are same or similar, for example, standard and privilege account has the same passwords,
  3. users with password set to never expire
  4. users whose passwords are saved with reversible encryptions
  5. users whose passwords are saved using legacy encryption method

Now, if you get excited and want to block users using the weak or breached passwords then it’s going to be challenge because the password list contains over 100k passwords.

Rather, you can use the subset & common passwords.

The below PS script will parse password.txt file. Text.txt file contains the known weak or common passwords like name of the month, day, countries, commonly used passwords, etc. The script will only filter passwords which are less than 8 characters (minimum password length) and doesn’t match the weak passwords supplied.

$ListOfPasswords = get-content -ReadCount 10000 C:\ThycoticWeakPasswordFinder\password_Thycotic.txt

$compareDict = @()
$compareDict = get-content C:\text.txt
$pattern = ($compareDict | ForEach-Object { [regex]::Escape($_) }) -join '|'


$i=0
$j=0

Do
{

        foreach ($pwd in $ListOfPasswords[$j])
        {
    
            Do
            {
                if(($pwd -imatch $pattern) -and ($pwd.length -ge 8))
                {
                  $pwd
                  $pwd | add-content -path .\PasswordList.txt
                }
                else
                {
         

                }

                $i++

             }while($i -lt 10000)
        }

$j++
}while($j -lt 1149)

The Second Method

Now, if you don’t like the idea of reading the hashes against a live AD. You can then use advance tools like hashcat, mimkatz, dsinternal, etc.

Due to the nature of these tools, the method of testing may slightly be changed.

Some smart folks have already provided enough information on how to use these tools. You can find information about them, here, here, & here.

Conclusion: Active Directory Password Audit

Now, that you have the report on password audit. It’s time for action. Natively, Active Directory won’t stop users from using complex though weak passwords.

You can leverage tools like AD Self Service Plus by Manage Engine or Thycotic Password Reset Server for enforcing custom password policies.

Both offer 30 days trial. You can play around with these tools.

I hope you find the information in this post useful in some ways. If you have any comments, questions, kindly ask them using the comment sections below.