New Weak Password Test Tool Allows IT Managers to Check Active Directory for Multiple Password-related Vulnerabilities Caused by Users
On the heels of Verizon’s 2017 Data Breach Investigations Report, IT security company KnowBe4 released Weak Password Test (WPT), a free tool for organizations that use Active Directory. As the fastest growing security awareness training and simulated phishing company, KnowBe4 found this was an area where companies needed help. The Verizon report, which KnowBe4 participated in, showed 81 percent of hacking-related data breaches leveraged either stolen and/or weak passwords.
According to KnowBe4 CEO Stu Sjouwerman, “KnowBe4’s release of Weak Password Test furthers our mission to empower IT pros with proactive tools to detect threats and educate their users to have security top of mind. Our customers use KnowBe4’s new-school security awareness to reduce their organizations phish-prone percentage, and now they can also mitigate both user- and implementation-related password management weaknesses. Using a weak password is an open-door invitation to cybercriminals. Weak Password Test makes it quick and easy to identify weak passwords so IT managers can take effective action fast.”
WPT checks Active Directory for multiple types of threats related to weak passwords. The tool can be connected to Active Directory to locally analyze for the following vulnerabilities in just a few minutes:
- Weak Passwords - including the most common passwords and dictionary passwords
- Duplicate Passwords - passwords shared among multiple accounts
- Empty Password - accounts that have blank passwords
- Password Never Expires - accounts with no requirement to change the password
- Password Not Required - accounts that could be set to a blank password
- LM Hash Password - accounts that store passwords using a LAN Manager hash, which is susceptible to brute force attacks
- AES Keys Missing - accounts set up using older functional AD levels and as such have no AES keys, these will use weaker encryption methods
- Kerberos DES-Only - accounts setup using the older and since retired DES encryption mechanism
- Pre-Authentication Missing - accounts that do not encrypt authentication requests, giving the attacker the ability to perform offline brute force attacks which are less likely to be detected
By using WPT, IT managers will know if their password management fails in any of these areas so that they can take action. Depending upon the failures this may involve user training or technical controls being put into place.
Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, added: “Weak Password Test demonstrates our commitment to provide organizations with tools aimed at strengthening their security and risk posture by detecting behavior-based threats caused by human error. New- school security awareness is all about the intersection of behavior and training. I love the WPT because it advances that vision by giving organizations insight into the password-management practices of their employees. Savvy security awareness program managers can then take this insight and tailor training to match the behavior patterns that are reported.”
To keep security tight, the tool does not show/report on the actual passwords of accounts, it simply reports on the accounts that are affected by the aforementioned vulnerabilities.
For more information, or to download the no-charge Weak Password Test, visit www.knowbe4.com/weak-password-test
KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform, is used by more than 9,500 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO Fraud and other social engineering tactics through a new school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s trainings based on his well-documented social engineering tactics. Thousands of organizations trust KnowBe4 to mobilize their end-users as the last line of corporate IT defense.
Number 139 on the 2016 Inc 500 list, #50 on 2016 Deloitte’s Technology Fast 500 and #38 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is based in Tampa Bay, Florida. For more information, visit www.knowbe4.com and follow Stu on Twitter at @StuAllard.