How Organizations Can Prevent Users From Using Cracked Passwords - iHash (2023)

go throughhash Comment

How Organizations Can Prevent Users From Using Cracked Passwords - iHash (1)

Without a doubt, attackers are targeting your sensitive account data. Passwords have long been a target for people looking to compromise their environments.

Why would an attacker take the long and complicated path when he has the front door keys?

No matter how extensively your security solution protects the various systems in your environment, without proper password protection, your organization can be an easy target. One type of cipher that is particularly vulnerable is thepassword cracked, which is the password "pwned".

What is cracking passwords? How to detect cracked passwords in your environment? How can organizations effectively protect their end users from using these types of passwords?


Risk of Account Hacking

IBM's 2020 Cost of a Data Breach Report identifies the report's key finding as compromised credentials as the leading cause of malware data breaches. Note:

“Stolen or compromised credentials are the most costly reason for a malicious data breach. One in five (19%) companies that experienced a malicious data breach were compromised by the theft or compromise of credentials, increasing the average total cost of a breach for these companies by nearly $1 million to $4.77 million.Overall, malicious attacks were the most common root cause (52% of breaches in the study) compared to human error (23%) or system failure (25%), averaging The total cost was $4.27 million."

This data helps underscore the importance of protecting account credentials and providing safeguards against the use of risky or even insecure passwords within an organization. One set of stolen credentials is enough for an attacker to compromise your data.

What is a cracked or "hacked" password?

When we talk about compromised passwords in your environment, are we saying that your organization has been actively compromised? No, not necessarily. However, passwords that identify user accounts in your environment have been compromisedother organizationsforyesoverall environmental security.

Hackers have access to huge databases of passwords leaked in previous data breaches or massive account data dumps. Databases containing cracked passwords are easy to find on the dark web, as cybercriminals post reams of account information for others to exploit. They use them to brute force attacks on user accounts in the organization or spray passwords, among other things.

You might be wondering how using a password that was compromised in a previous data breach or hack would work in your environment. It all depends on what people think, no matter what organization your employer is. Users tend to use the same types of patterns as everyone else when choosing their passwords. The truth is, a user's password in one environment may exist in another user's compromised password in another organization. By using a compromised password database, attackers can easily gain access to a large number of passwords that can be used for any number of accounts across all organizations.

Be sure to protect your organization from using previously compromised passwords.

if passwordbecomeWhen choosing user passwords, it is important to understand the risk in your environment and proactively address the threat should a user's password be compromised.

How can your organization gain visibility and protect users' passwords?

Native tools are not enough

Microsoft Active Directory provides many tools and management tools for interacting with end-user accounts and managing passwords. However, none of the built-in tools provided by Microsoft Active Directory provide visibility into compromised passwords. IT administrators can download a free PowerShell tool to check passwords against a small subset of compromised passwords. However, these tools may not be proactively updated with the latest violation information and must be run ad-hoc to periodically check the environment.

Scanning your environment for potential password leaks with the free PowerShell tool can help provide some visibility. However, at best they provide a reactive approach, providing only visibility into compromised passwords in the environment, rather than proactive protection. These types of tools do not prevent users from using cracked passwords when setting their passwords.

Is there a way to completely avoid using leaked passwords? How about proactively detecting leaked passwords and forcing users to change leaked passwords?

Specops breach password protection

Specops Password Policies give companies the tools they need to meet the challenges of cracking passwords. A strong element of Specops password policy is preventing password disclosure. By using Specops Password Policies, companies can easily extend their existing Active Directory password policies and provide proactive password protection in the event of a breach.

Key features of Specops Password Compromise Protection:

  • Contains leaked password list – Contains thousands of leaked passwords from different sources and blacklist of leaked passwords from reputable sources like
  • It contains billions of cracked passwords that have been verified in your environment.
  • Immediately block users from using passwords on the leaked password list,
  • With Specops Broached's comprehensive password protection, if users change their password to one of the leaked password list, they will be notified via email or text message.
  • Their accounts were also flagged, forcing users to change their passwords the next time they log in.

Specops can retrieve an up-to-date password list in a number of ways. go throughComplete APISpecops Arbiters communicate with the Specops API in real-time to ensure that users do not use passwords that are on the latest violation lists that Specops monitors.

How Organizations Can Prevent Users From Using Cracked Passwords - iHash (2)
Specops breaks password protection with full API inspection

IT administrators can also use the archive to download the latest list of leaked passwordsexpress listoption. Specops alerts when new listings are available. After the latest list is downloaded, Active Directory is checked locally for any offending entries.

How Organizations Can Prevent Users From Using Cracked Passwords - iHash (3)
Download the list of compromised passwords locally using the Specops Express list

Prevent users from using cracked passwords

How to use Specops to violate password protection to prevent end users from using it? Specops Password Policy makes it easy. In Specops Password Policy Settings, you can configure password policies as follows:

  • Prevent users from changing compromised passwords
  • Force users to change leaked passwords when the list of leaked passwords is updated
  • Notify users when they are forced to change their passwords
How Organizations Can Prevent Users From Using Cracked Passwords - iHash (4)
Specops password policy with compromised password protection

Specops' password policies help communicate password requirements to end users in a more intuitive way than the native Windows password change messages end users typically see.

The following is an example of the message a user receives when they try to change their password to one from the list of compromised passwords.

How Organizations Can Prevent Users From Using Cracked Passwords - iHash (5)
A password change message appears when a password change request fails due to a compromised password


The use of passwords that protect your environment from compromise is critical to keeping your user accounts secure and protecting your critical data. There are no built-in native Active Directory tools that provide visibility into these dangerous user account passwords. Although you can download and use custom PowerShell scripts to scan your Active Directory environment, they require a manual process and their code or listings may be out of date.

Specops Password Policy with Password Compromise Protection is an excellent solution for proactively preventing the use of compromised passwords in your environment. It seamlessly integrates with existing Active Directory password policies configured through Group Policy Objects (GPOs) and provides real-time protection against password compromise.

Learn more about Specops password policy here.



Top Articles
Latest Posts
Article information

Author: Jonah Leffler

Last Updated: 09/13/2023

Views: 6082

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Jonah Leffler

Birthday: 1997-10-27

Address: 8987 Kieth Ports, Luettgenland, CT 54657-9808

Phone: +2611128251586

Job: Mining Supervisor

Hobby: Worldbuilding, Electronics, Amateur radio, Skiing, Cycling, Jogging, Taxidermy

Introduction: My name is Jonah Leffler, I am a determined, faithful, outstanding, inexpensive, cheerful, determined, smiling person who loves writing and wants to share my knowledge and understanding with you.