Are Default Passwords Hiding in Your Active Directory? Here’s how to check
One of the biggest cybersecurity mistakes a company can make is not changing a default password. For example, imagine what could happen if a home user didn’t change the default password on their Wi-Fi router.
A cybercriminal could perform a simple web search to determine the router manufacturer’s default password and then log into the router. From there, the criminal could potentially change the router’s password, effectively locking its owner out.
The problem, as this example shows, is that standard passwords are well-documented and easy to exploit in both the home and business. In fact, many password spray attacks specifically target standard passwords.
Atlassian has a product called Confluence that acts as a remotely accessible collaborative workspace. In addition to the main Confluence app, the company also makes a supporting app called Questions for Confluence. This app, which has been downloaded thousands of times, automatically creates a default username and password that are used to facilitate customer data migration from the application to the Confluence Cloud.
Unfortunately, someone was able to figure out the default username and password hardcoded into the app and leaked the cracked credentials online. An attacker who knows these credentials can take full control of any unrestricted page in Confluence.
Worse still, uninstalling the Questions for Confluence app doesn’t fix the problem as the credentials persist even after removing the app.
Atlassian has released a patch that will help secure vulnerable systems, but is also asking affected customers to remove or disable the account named disabledsystemuser.
Although this particular incident was specific to Atlassian, it underscores the dangers posed by default passwords.
Are default passwords inevitable?
Unfortunately, default passwords can be difficult to avoid. Every organization uses them at least in some way. Think about your own organization and the process you currently have for creating new user accounts. Most likely, these accounts are initially assigned a default password that needs to be changed when a user logs in for the first time.
The problem with this is that there may be accounts lurking in your Active Directory that were created but never used. Imagine what could happen if a new employee is hired but doesn’t show up (a fairly common occurrence). An account may already have been created for the employee, and unless the organization has a policy to remove the account, it can exist indefinitely—with a default password.
Find irrelevant default passwords
The question is how to track down default passwords on your network when they are no longer useful. One of the best options is to use a free read-only tool called Specops Password Auditor.
Although this tool doesn’t crack passwords, it can tell you who among your users is using duplicate passwords. In this case you could create a new account with a default password and then run a report to find out if other accounts are using the same password as the account you just created (ie the default password).
By the way, this report is also good for finding service accounts using identical passwords or admins using the same password for their privileged and unprivileged accounts.
It’s worth noting that Specops Password Auditor can do much more than just look for standard passwords. You can also use it to find users who haven’t changed their passwords for a long time (which may indicate that the account has been abandoned).
Likewise, you can look for things like expired passwords, blank passwords, or passwords that are known to have been compromised.
Prevent the use of third-party default passwords in your Active Directory
You should also ensure that your Active Directory environments do not have vendor default passwords in place. One of the best ways to prevent such passwords is the Specops password policy, which allows you to create a custom list of banned passwords.
You can then populate this list with the passwords that hardware and software vendors use by default. This way, anyone trying to use one of these default passwords will be prevented from doing so, as it is such a security vulnerability.
You can test the Specops Password Policy in your Active Directory for free at any time.
Sponsored by Specops