Full Report
Password audits often focus on complexity rules but miss the accounts attackers actually target. Specops Software explains how breached passwords, orphaned users, and service accounts can leave organizations exposed. [...]
Analysis Summary
# Best Practices: Context-Aware Password Auditing
## Overview
These practices address the limitations of traditional password audits, which frequently focus on surface-level metrics (complexity and length) while ignoring the high-risk accounts actually targeted by attackers. These recommendations aim to shift security focus toward compromised credentials, orphaned accounts, and service account vulnerabilities.
## Key Recommendations
### Immediate Actions
1. **Conduct a Breached Password Scan:** Use a tool to compare current Active Directory (AD) hashes against databases of known leaked credentials (e.g., 5.4+ billion compromised passwords).
2. **Identify Orphaned Accounts:** Run a report to find active accounts belonging to former employees, expired contractors, or "shadow IT" test accounts.
3. **Implement a Custom Block List:** Immediately ban passwords containing the organization's name, local sports teams, or industry-specific terms (e.g., "Healthcare123!").
### Short-term Improvements (1-3 months)
1. **Service Account Inventory:** Audit service accounts to ensure they are used exclusively for automated processes and do not have interactive login rights.
2. **Automate Breech Screening:** Transition from one-time scans to continuous monitoring that alerts IT whenever a user’s password appears in a new data breach.
3. **Enforce Risk-Based MFA:** Prioritize MFA rollout for over-privileged users and accounts that have failed recent internal audits.
### Long-term Strategy (3+ months)
1. **Replace Rotation with Screening:** Shift away from arbitrary 90-day password expiration (which leads to predictable patterns) in favor of long, unique passwords that only expire if a compromise is detected.
2. **Identity Life Cycle Automation:** Integrate HR systems with Active Directory to ensure account deprovisioning happens automatically the moment an employee leaves.
3. **Tiered Administrative Access:** Implement a "Least Privilege" model where administrative accounts are separated from standard user accounts and have no internet/email access.
## Implementation Guidance
### For Small Organizations
- **Focus:** Low-hanging fruit. Focus on cleaning up "orphaned" accounts and enforcing basic MFA.
- **Action:** Perform a manual audit of the user list monthly to ensure everyone listed is still currently employed.
### For Medium Organizations
- **Focus:** Policy and Visibility. Move toward automated password policy enforcement.
- **Action:** Implement tools like Specops to block weak or leaked passwords at the moment of change, reducing the burden on the help desk for password resets.
### For Large Enterprises
- **Focus:** Service Account Management and Scaling.
- **Action:** Use automated discovery tools to map complex service account dependencies and transition to Managed Service Accounts (MSAs) where possible to handle rotation automatically.
## Configuration Examples
- **Password Policy Settings:**
- *Minimum Length:* 15+ characters (to encourage passphrases).
- *Account Lockout:* 10 attempts in 30 minutes (to thwart slow brute-force).
- **Custom Dictionary:** Block terms such as `[CompanyName]2024`, `Summer2024!`, `Welcome123`.
- **Service Account Hardening:** Set `User cannot change password` and `Password never expires`, but restrict `Log on to` specific workstations only.
## Compliance Alignment
- **NIST 800-63b:** Follows guidelines to move away from complexity rules toward checking against a "blacklist" of compromised values.
- **ISO/IEC 27001:** Addresses access control and password management requirements.
- **CIS Controls:** Aligns with Control 5 (Account Management) and Control 6 (Access Control Management).
## Common Pitfalls to Avoid
- **The "Compliance Trap":** Assuming that because an audit was "passed," the organization is secure. 83% of compromised passwords still meet standard complexity rules.
- **Ignoring Service Accounts:** Treating service accounts like user accounts; they often have high privileges and static passwords that are never changed.
- **Pattern Proliferation:** Forcing frequent rotations, which leads users to choose predictable sequences like `Spring2024!`, `Summer2024!`.
## Resources
- **Specops Password Auditor:** hxxps[://]specopssoft[.]com/product/specops-password-auditor/
- **NIST Password Guidelines:** hxxps[://]pages[.]nist[.]gov/800-63-3/
- **Have I Been Pwned (API for screening):** hxxps[://]haveibeenpwned[.]com/