Detect and Reset Compromised Passwords with Active Directory Guardian

Detect and Reset Compromised Passwords with Active Directory Guardian
September 17, 2019 Heather Smith

When people reuse passwords, criminals benefit. That’s why the latest password guidelines from the National Institute of Standards and Technology (NIST) urge organizations to check for “commonly-used, expected, or compromised” passwords that can give criminals an all-access pass to your organization’s data. Following this guidance can help organizations mitigate the risks posed by users’ bad password habits, but it creates challenges for busy security teams that don’t have time to keep up with new data breaches and monitor their directories for stolen credentials.

Today, the SpyCloud team is excited to share that we’ve released a new and improved version of Active Directory Guardian that makes it even easier to align with NIST guidelines by detecting and resetting compromised passwords. With the latest version of Active Directory Guardian, you can:

  • Simplify alignment with NIST password guidance
  • Reset weak and compromised passwords automatically
  • Detect when your employees reuse their favorite passwords (which are criminals’ favorites, too)
  • Check for banned passwords on our pre-populated list of common passwords, plus your own additions

We’re especially proud to have added the ability to check your users’ passwords against the entire SpyCloud database for any exposure, independent of username, which is one way we’ve made it easier for customers to comply with NIST password guidelines. You can learn more about how Active Directory Guardian helps organizations align with NIST password guidelines in our solution brief.

Let’s walk through some common ways employee password habits can put your organization at risk, and how Active Directory Guardian can help.

How Active Directory Guardian Helps You Detect Bad Password Hygiene

Common Scenario #1: Your employee reuses their Active Directory credentials on third-party sites.

With hundreds of online accounts to keep track of, your employee struggles to remember a different password for each account. Reusing the same username and password for everything—including work—solves that problem.

Unfortunately, data breaches happen all the time. When (not if) your employee’s credentials are exposed in a third-party data breach, criminals can easily use them to log into your network.

Active Directory Guardian enables you to check Active Directory passwords against the largest repository of stolen credentials in the world, helping you detect and reset compromised passwords before criminals can use them to access your accounts.

Common Scenario #2: Your employee reuses their work password—this time, with their personal email address.

Some employees think that, so long as they aren’t using their work email address, reusing a password for an account registered under their personal email address is perfectly safe. In reality, it’s easy for an attacker to connect the employee’s personal alias, jsmith@gmail.com, to their work email, jsmith@employer.com. It’s much harder for your security team to do the same, especially for hundreds or thousands of Active Directory users.

Active Directory Guardian helps you monitor for this type of scenario at scale by enabling you to check your users’ Active Directory passwords against the entire SpyCloud database. You can easily detect if a user’s password has ever been involved in breach, whether or not it was combined with their Active Directory username.

 

Common Scenario #3: Your employee shares online accounts—and passwords—with their family.

Let’s say your employee’s Active Directory password is Sprinkles1, named after the family dog. Your employee reuses that same password across certain online accounts that their whole family can access. Easy to remember, easy to share.

Unfortunately for you, your employee’s kids are saving their brainspace for school, so they use the same memorable password they already know and like across their social media accounts, gaming sites, and online forums, dramatically increasing the chances your employee’s password will appear in a third-party breach.

By using Active Directory Guardian to check your Active Directory passwords for breach exposures, you can shield your organization from the risk posed by your employee’s risky password habits.

Common Scenario #4: Your employee switches up their favorite password for ‘extra security.’

Sometimes your employee switches things up with a few trivial changes to a favorite password, whether to get around password complexity requirements or to create a “more secure” password that they can still remember. The passwords in your employee’s arsenal include sprinkles, Sprinkles, Sprinkes1, Sprinkles!1, and (for extra-extra-important accounts), Spr1nkl3s!.

Your employee doesn’t think of these “fuzzy” variations as password reuse because they’re not exact matches. In reality, they may as well be. Unsophisticated criminals have access to advanced crimeware that can check for common password variations like these, making fuzzy password reuse a security risk for your enterprise.

Active Directory Guardian can help. If your employee uses a fuzzy variation of a password that has been exposed in a third-party breach, you can detect and reset it automatically with Active Directory Guardian.

Common Scenario #5: Your employee chooses a common password, like the name of their favorite sports team or the name of your company.

Your employee shapes up and stops reusing passwords. Thanks to some inspiration from their favorite sports team, they come up with password they’ve never used before on any site: Longhorns#1.

Unfortunately for your employee, they’ve chosen the same password as many other Longhorns fans, several of whom have been included in third-party breaches. Once a password makes its way into lists that criminals can load into account checker tools, it creates a potential exposure for your organization.

Luckily, Active Directory Guardian offers the option to check your users’ passwords against every password in our database, independent of username. Even though your employee has never been involved in a breach using this specific password, Active Directory Guardian can flag this password to help you identify weak, expected, or compromised passwords in accordance with NIST’s recommendations.

Active Directory Guardian also includes a banned password list that your team can add to, enabling you to detect and reset passwords that an attacker might expect users at your organization to choose. Using context-specific passwords like the name of your company is such a common approach that the NIST password guidelines specifically recommend checking for it.

 

A Closer Look: How Active Directory Guardian Checks for Password-Only Matches

By default, Active Directory Guardian does not push data back to SpyCloud. In most cases, the platform uses native Microsoft calls to pull data from the SpyCloud API and compares it locally to NTLM hashes of your Active Directory passwords.

We created a single exception to make it possible to check passwords for any exposure within the SpyCloud database, independent of username. In this case, Active Directory Guardian uses an approach called k-anonymity, meaning that only the first 5 characters of each password hash are sent over the network—never the user’s actual plaintext password. This method ensures that if the traffic were intercepted, it would be useless to an attacker.


Interested in learning more about Active Directory Guardian?