It is human nature to use passwords that are both easy to type and easy to remember. They can be familiar keyboard patterns like 12345 or words like password. Lists of commonly used passwords (called password dictionaries) are easily accessible to hackers and attackers, giving them an edge when it comes to cyberattacks
To make matters worse, huge lists of compromised accounts and their passwords are available publicly. Since users have a tendency to reuse the same password for several sites, attackers can try to log in to multiple sites using the same credentials.
By combining the knowledge of human nature with data-driven lists of common and compromised passwords, attackers have come up with creative attack strategies like:
Admins can secure the organization against these attacks through password blacklisting. Password blacklisting involves banning the use of the most commonly used passwords and their variations. Blacklisting compromised and weak passwords can harden organizational security by preventing attackers from uncovering a user's domain password and getting past the initial password login into the Active Directory domain.
Windows PowerShell does not offer password blacklisting capabilities.
ManageEngine ADSelfService Plus, an identity security solution with multi-factor authentication, single sign-on, and self-service password management capabilities, delivers password blacklisting for Active Directory and enterprise application accounts via its Password Policy Enforcer and integration with Have I Been Pwned?. The former helps impose password policy rules that ban use of dictionary words, palindromes, and patterns, and the latter prevents the use of previously exposed passwords.
With ADSelfService Plus, configure a custom password policy via the Password Policy Enforcer feature
Apart from being easy to configure, ADSelfService Plus has several advantages when compared to PowerShell scripts.
Store weak passwords in a text file (C:\BlocklistPasswords.txt). Add more weak passwords to this list as needed.
password
123456
qwerty
admin
welcomeCompare a user’s password hash against the blocklist. This script below checks if any user is using a weak password.
$weakPasswords = Get-Content "C:\BlocklistPasswords.txt"
$users = Get-ADUser -Filter * -Properties msDS-UserPasswordExpiryTimeComputed
foreach ($user in $users) {
$password = ConvertTo-SecureString -String "userpassword" -AsPlainText -Force
if ($weakPasswords -contains $password) {
Write-Host "$($user.SamAccountName) has a weak password."
}
}Modify the default domain password policy to enforce complexity. This sets a minimum length of 12 characters, requires complex passwords, and locks the account after five failed attempts.
Set-ADDefaultDomainPasswordPolicy -Identity "yourdomain.com" -MinPasswordLength 12 -ComplexityEnabled $true -LockoutThreshold 5Send email alerts to users found with weak passwords. This will prompt users to update weak passwords.
foreach ($user in $users) {
if ($weakPasswords -contains $user.Password) {
Send-MailMessage -To $user.EmailAddress -From "admin@yourdomain.com" -Subject "Weak Password Alert" -Body "Please change your password immediately."
}
}Run the script below to check for users who use weak or old passwords.
Get-ADUser -Filter * -Properties PasswordLastSet | Where-Object {($_.PasswordLastSet -eq $null) -or ($_.PasswordLastSet -lt (Get-Date).AddDays(-90))} Use fine-grained password policies (FGPP) and enforce complexity rules using the script below.
New-ADFineGrainedPasswordPolicy -Name "StrictPolicy" -Precedence 1 -MinPasswordLength 12 -ComplexityEnabled $trueThis requires passwords to be at least 12 characters long and complex.
Yes, check password history with the script below. This shows how many old passwords are stored in history to prevent reuse.
Get-ADUser -Identity username -Properties msDS-PasswordHistoryLength
