It has been more than a year since I last shared Preempt Inspector statistics. Last time we shared Preempt Inspector statistics we found some alarming numbers . With the end of 2018 approaching, I would like to share with you key findings from Preempt Inspector to help you focus on the most important security issues you might be facing.
Preempt Inspector ReminderPreempt Inspector is a free security posture evaluation tools offered by Preempt. The tool monitors various aspects of password and Active Directory security:
Weak Passwords : We define compromised credentials as passwords that exist in well-known password lists. To test this, we’ve created a password dictionary containing 10M of the most common passwords. In a previous blog , this dictionary was used to crack 35% of breached LinkedIn password hashes.
Shared Passwords : We define shared passwords as passwords that are shared by different users (unless password is extremely weak, two users with the same password could not happen by accident).
Stealthy Admins : We define stealthy admins as user accounts with special permissions over other accounts (e.g., changing a user password, modifying a particular security group) not via AD protected groups, in a way that effectively makes user with permissions equivalent to these of a domain admin. You can get more details regarding stealthy admins here .
Exposed Group Policy Passwords In the past, it was possible to store passwords in Group Policy Preferences (GPP). However, the passwords stored in the GPP could easily be fetched and decrypted by any user in the network. More details on this issue can be found here .
Password Policy Preempt Inspector also analyzes the domain password policy and assigns a theoretical strength based on the minimal characters you could set and whether password complexity is required.
Preempt Inspector Findings
Since launching Preempt Inspector, about 600 organizations have downloaded the app. More than 100 organizations have chosen to anonymously share security statistics with us. The data collected includes password statistics from several countries (64% from the US, 18% European) and a healthy mix of small (<100 users), medium (100-1000 users) and large (>1000 users) organizational networks. We have found many interesting and surprising statistics regarding how vulnerable most enterprise networks are to these known and simple security vulnerabilities:
32% of networks had some exposed passwords (GPP passwords)
Roughly 1 in 3 enterprise networks have some passwords exposed in GPP for any authenticated user to recover. From our experience, these passwords in some cases are applicable and in many cases belong to administrative account (domain or local).72% of networks had at least one stealthy admin detected
In most networks we scanned, we discovered at least one user granted special permissions not through a protected AD group. One such known account is the MSOL account used for Azure AD Connect. However, in most cases (61%), we found more than just one account with stealthy privileges.Only 5% of networks had a strong password policy, 23% of networks had a very weak password policy
In our analysis of password policy we’ve scored each password policy and divided password policies into three groups low, medium and high. A low score was given to policies that either mandate 7 character passwords or mandate password complexity, a medium score was assigned to policies that mandate less than 10 characters (or 9 characters and complexity). Policies that mandated more than 10 characters or 10 characters and complexity were given a high score. Overall, only 5% had a high password policy, and surprisingly, 23% had a low password policy.Figure 1 Weak Password by Password Complexity Score
We have further researched the impact of the password policy and the actual strength of passwords in these enterprises and analyzed how many passwords we were able to crack with each policy applicable. Not surprisingly, the better the password policy is, the less passwords we were able to crack. More interestingly, the difference between low and medium score is lower than between medium and high. For enterprises with medium password policy scores, we were able to crack roughly 10% of the passwords. For enterprises with a high score for password policy, we were able to crack only 0.8% of the passwords. This is a strong indication that at least 10 characters passwords is crucial for password strength.
Overall, 97% of inspected enterprises revealed at least one security issue.
Perhaps the most alarming finding we can share is that even though our scan contains only known issues, in almost all networks we’ve scanned we’ve found some security issues. In the minority case where no security issues were found, clients only scanned for one issue (Preempt Inspector allows running a subset of inspections).Bigger organizations have better security posture.
We measured the average percentage of users with a weak password (compromised or shared) in each organization size and found that the bigger an organization is, the more secure their passwords are. In large organizations we were able to crack 9% of the passwords, in medium organizations we were able to crack 10% of the passwords and in small organizations we were able to crack 16.78% of the passwords.
Figure 2 Weak Password by Organization Size
This reaffirms our previous research findings.
US-based organizations have best password quality, Europe came in second.
We divided the data into US-based enterprises (64%), European-based enterprises (18%) and others. The results clearly show that password quality in US and Europe is better than rest of the world with 6.3% of US passwords that were cracked, 12% of Europe passwords 18% of the passwords from the rest of the world.Figure 3 Weak Password by location
30% of enterprises improved security metrics in recurring inspector runs
Some of the enterprises have used