Last week, we talked about password expiration, and the recent guidance that recommends doing away with them. But, those same papers recommended that you should beef up your password security in other ways. One way is by auditing the strength of your current passwords.
A great way to audit your Active Directory passwords is by using the Test-PasswordQuality cmdlet included in the excellent DSInternals Powershell module. This cmdlet will run several checks against all of your AD account passwords, and give you the details so that you can take action to fix these weaknesses.
It’s important to note that DSInternals is a third-party tool, so be sure to take that into account before following these instructions.
If you’re running Powershell 5, you can use the Install-Module cmdlet to grab a copy of DSInternals from the official Powershell gallery:
If you’re running an older version of Powershell, or need to install it on an internet-isolated system, head over to the GitHub page and grab the latest ZIP file.
Unzip this to one of the following Powershell directories:
Or, just use the Import-Module command to import DSInternals.psd1
Confirm that you have it installed by running Get-Command -Module DSInternals
Setting Up the Test
To check your password quality against a list of known weak passwords, you’ll need to download a dictionary list. Weakpass.com has password lists of various lengths. While a longer list will provide greater security, it will take much longer to run. Start with the Top 100,000 weakest passwords, and then go up from there.
Download the list as a text file, and save it somewhere convenient. Then, convert the plaintext passwords to NTLM hashes using the ConvertTo-NTHashDictionary cmdlet:
This command will output a nice report that lists the following password issues:
Accounts with passwords stored using reversible encryption, or with weak LM hashes
Accounts with no password
Accounts using the same password
Accounts with passwords set to never expire
And, of course, accounts with passwords that were on the list of weak passwords you supplied
Once you have that report, you’ll need to decide what action to take. For any accounts with irregular password security, like never-expiring passwords, find out if there is a documented reason for that security exception.
You’ll also want to notify users whose passwords appeared on the weak password list. However, they may need some training to help them to come up with a more secure password. We’ll cover how you can tackle that in next week’s article.