Regular reviews of the effectiveness of user, admin, and service passwords stored in Active Directory is a good idea. Here's how one password review tool works. Credit: Matejmo / Getty Images More applications and devices are using password repositories to check on password reuse. When you log into your iPhone for example, it now alerts you that passwords you saved in your iCloud keychain may have been reused in other places. In January, Microsoft released a new tool in its Edge browser that checks on the status of reused passwords. It will flag and alert you when a password stored in the browser has been exposed in an online breach.Often in a network environment, you’d like to inform your users of ways they can improve their security. Using a tool to review the quality of passwords in your domain is wise. Specops, for example, has a free Password Auditor tool to review the status of passwords in your Active Directory (AD) environment.The tool will not make changes to AD but merely read the values of pwdLastSet, userAccountControl and lastLogonTimestamp. It will read all password policies and details about user accounts and their password hashes. You must run Password Auditor as a domain admin to be able to read password hashes and fine-grained password policies. The tool provides reports to show which user accounts have leaked passwords and how password settings in your organization compare with industry standards and best practices. The server or workstation it’s installed on must have .NET 4.7 or higher installed. Once you start the tool you have the option to download a copy of the breached password database. Install this tool in a location where you have multiple gigabytes of storage because the file is quite large. Susan BradleyThe tool then compares your passwords to password databases such as Haveibeenpwnd.com. It will then provide you a list of the passwords that need to be changed. Next, it compares your password policy to that of the best practices. For example, it will compare your policy to that of various best practices.Review administrator and service account passwords, tooLet’s not let administrators off the hook. Recent ransomware attacks have started with a reused password reportedly left behind by an administrator. Often as projects end and new ones begin, you forget about old passwords and old accounts. As you move from on-premises email to hosted email, you may forget old accounts from applications that you’ve since removed. Review all accounts in your Active Directory that have administrator rights or inherited administrator rights. Even with administrator accounts, ensure that they do not expire, but rather are protected with fobs, biometric, or other two-factor authentication options. What about service accounts? Specops notes that these too need reviewing. Whenever you hand out domain accounts or use managed service accounts, be aware of the implications of your choices. As they note, “Managed service accounts are typically the most secure of the bunch. They benefit from the strict permissions controls possible through AD, effectively enforcing RBAC, and maintenance automations. This commonly includes password changes and PowerShell scheduled tasks.”A group-managed service account can be used in tasks tied to a computer. It can be maintained automatically with a complex password and it will manage itself. You will need to ensure your Active Directory schema is at least Windows Server 2008 R2 before using the process. Too often service accounts are set up with a forgotten password or worse yet, mandated by the vendor. Review any service accounts set up in your AD infrastructure and ensure that you review who set them up and how they were set up. Discuss with your vendors if a managed service account is used.Password best practicesPassword best practices vary from source to source. Microsoft’s recommended password policy includes an eight-character minimum length requirement. They also recommend that you eliminate character-composition requirements. When confronted with password complexity requirements, people fall into a few recognizable patterns that password cracking programs exploit. Recommendations regarding passwords have changed over the years. Microsoft once recommended that 14 characters should be used in your password and that they be changed every 60 days. Now the best practices recommendation is to not change passwords unless they’ve been breached. The UK National Cyber Security Centre recommends that you use password managers as it allows your users to choose more complex passwords that won’t be easily remembered. Also, it’s recommended that you think of three random words when selecting a password.Section 5.1.1.2 of the NIST guidance on passwords recommend that you do not store a hint that is accessible to an unauthenticated claimant. It’s also not recommended to use specific types of information (e.g., “What was the name of your first pet?”) when choosing memorized secrets. Too often in social media games are posted as questions for folks to answer. These seemingly random questions are often password reset questions that attackers can then use to reset passwords in accounts. Ensure that your users are aware of these tricks used on the web and they know that these question games should be ignored.Take the time to review the accounts in Active Directory. Ensure that you don’t have any lingering accounts that could be used against you. Related content news CISA, FBI urge developers to patch path traversal bugs before shipping The advisory highlights how developers can follow best practices to fix these vulnerabilities during production. By Shweta Sharma May 03, 2024 3 mins Vulnerabilities news Microsoft continues to add, shuffle security execs in the wake of security incidents The company has appointed new product security chiefs as well as a customer-facing CISO as it continues to respond to high-profile attacks on its products and own network. By Elizabeth Montalbano May 03, 2024 4 mins CSO and CISO feature Malware explained: How to prevent, detect and recover from it What are the types of malware? How does malware spread? How do you know if you’re infected? We've got answers. By Josh Fruhlinger May 03, 2024 18 mins Ransomware Phishing Malware brandpost Sponsored by Cyber NewsWire LayerX Security Raises $26M for its Browser Security Platform, Enabling Employees to Work Securely from Any Browser, Anywhere Early adoption by Fortune 100 companies worldwide, LayerX already secures more users than any other browser security solution and enables unmatched security, performance and experience By Cyber NewsWire May 02, 2024 4 mins Cyberattacks Security PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe