You need a blacklist!
Having recently deployed SPecOps password policy ‘https://specopssoft.com/product/specops-password-policy/’
I wanted to update the password generation button within ARS MMC to help with setting passphrases rather than passwords. My definition of a passphrase is 3 or more random word used as a password. Just in case you are wondering why and you’ve never seen this link have a quick read of this post on password strength ‘https://xkcd.com/936/‘
How difficult a password is to crack, is measured in bits of entropy. A longer password has a greater password entropy. Another factor that determines the strength of the password is the character sets used to create the password. Using Upper, lower, numeric and Special characters in your password make it stronger. If there is a rule forcing you to use these character sets then the password entropy actually drops.
Password entropy has two values ‘blind entropy’ which means an attacker has no clue what the password complexity rules are and ‘seen entropy’ where the attacker knows what the rules are. If you were forced to set a 20 character password but were only allowed to use the letter ‘a’ and an attacker knows this rule it won’t take them long to crack the password despite it being 20 characters long.
Like everywhere else, I suspect, our AD default domain password policy has password complexity enabled to make sure the users set strong passwords.
The complexity rules mean you must use a password that includes 3 of the 4 character sets, Upper, lower, numeric and special. On the face of it this this seems like a good idea but this actually reduces the password entropy because the ‘seen entropy’ eliminates any password with all lower case or all UPPER CASE reducing the number of password possibilities.
‘Password8’ meets all the complexity rules
These rules also allow ‘Password8’ which meets all the complexity rules but is clearly not a good password. Why then, do we set password complexity on at all?
Users will use the weakest password they can because they are easy to remember and no, ‘QazXswEdc’ is not a strong password
Because our passwords are like water and flow down to the lowest level, if I set no rules at all then some of the users will use very simple passwords that are easy to remember and easy to crack. Some people think these passwords are secure ‘QazXswEdc’ and ‘qpzmwoxn’ but they are just patterns on the keyboard and these will be top of the hackers list of passwords to test.
Calculating password entropy rarely if ever considers the user as a factor of the password strength
Just before moving back to the actual topic of the post, when reading up on the new password recommendations I had to produce some stats on password strength to justify and explain why we needed to change. Calculating password entropy is just a matter of math but it occurred to me that all the calculations I found were never taking into account the users. If I use the standard Microsoft Complexity rules and set the password minimum length to 8, most users will use a passphrase of one word plus a number. Tell me that’s not how you remember your current AD password? Summer2020 or Summer20 etc. The password entropy then, in theory is good but the reality is that password security is pretty low. For most people the word pool is not massive and adding 1 or two digits to the end, which we recycle every month makes our passwords very weak. Oh and replacing some letters, leekspeak, does very little to the password entropy as the hackers use these replacements too so don’t go fooling yourself that your users passwords are secure.
You need a way of checking passwords against a known list of weak and compromised passwords – the ‘Blacklist’
The only way of improving your AD password policy is to add a password filter that prevents weak passwords.
We selected SPecOps password policy including the blacklist add on which is the real benefit to using a password filter as it prevents use of any password on the internet published list of leaked and well known weak passwords.
I’d recommend a visit to ‘https://haveibeenpwned.com/’ if you don’t know what I’m talking about.
Password complexity rules can be driven from the password length when the password is being set
We have now forced longer password on our end users but the trade off is we let them keep the same password for longer unless it shows up on the ‘blacklist’ then we force an immediate change. One ‘killer’ feature of SpecOps is that it can have multiple password rules in the same policy by enabling rules based on the password length used when resetting the password. An 8 character password can be forced to change every 30 days and must have 3 of the 4 character sets and a 12 character password only needs to change every 90 days etc. This increases the ‘seen’ entropy score which is a good thing obviously. It also allows users who want to keep shorter passwords happy as long as they are also happy continuing to change their password.
If you allow an 8 character password then users will select a one word passphrase with a number on the end
We are rewarding good behavior with this feature and getting better theoretical password entropy. I say theoretical, because come on, who am I kidding, if you do this then people will still use a one word passphrase with a number on the end! Most likely the capital will be the first letter of the word!
This just makes a mockery of anyone that tells you an 8 character password with complexity is strong. Only on paper is it strong.
Forcing longer passwords will force users to use passphrases as that is the only way they will be able to remember them
I’d recommend you force longer passwords on everyone and don’t allow the madness of 8 characters to continue.
Scan your passwords regularity to identify compromised passwords
SpecOps allows you to scan all of your current passwords against the blacklist and this is free to anyone that wants to try it. Trust me when I tell you most of your passwords in use today are going to be on the ‘naughty’ list, I was quite amazed when I ran the tool in our environment, it’s really fast too, scarily fast which means if a hacker got access to the AD database he’d have every weak password in seconds literally. I found this link analysing the list of leaked passwords quite interesting, ‘https://wpengine.com/unmasked/’ and worth a read if you have time.
The next challenge as always is user education and part of my strategy here is to lead by example, and no I’m not telling everyone what I’m setting my password to, I’m using a passphrase generator to generate the password reset values given to the users when they ask for a password reset. Better still I’ve integrated my passphrase generator into the ARS MMC to make it easy for people to use.
By default when resetting a users password in the ARS MMC the generate password button runs a VBScript (ARRRRRGHHHHHH) that reads the AD domain password complexity rules and generates a random password using these rules. It has a button that lists the password phonetically too, quite handy but if you increase the length to 14 or 20 characters minimum then this password is quite difficult to pass to the end user verbally.
As I had already written a PowerShell script to generate passphrases I decided to replace the existing ARS vbscript ( ARRRRRRRGHH) for mine so that when the ServiceDesk generates a password reset the script generates a passphrase instead. It generates some great passwords by the way and quite a few are amusing and you might find your self sitting at your desk generating new passphrases for quite a while when you test out my script 😊
I also built the script into my JLT scripts so that all new accounts created get passphrases. This has to be one of the best password education tools you can get, show the users what a good password looks like and then hopefully they will use a long and secure passphrase. There’s no guarantee but if you force a long enough password and can check these passwords against the list of leaked passwords you are definitely in a better place than with just the Microsoft built in complexity rules.
My next post will detail how to replace the password reset generator in ARS and also publish the passphrase generator I wrote ( plagiarised from a few other snippets and ideas on the internet ).