Better Passwords Project: The State of Active Directory Passwords
After a successful penetration test of an Active Directory-based network, we perform an analysis of the average password quality by cracking NT hashes with hashcat. We built a database containing non-identifying key quantities of each analysis and can now make robust statements about the password quality across many organizations.
Given this new insight of an otherwise extremely private and sensitive area, we can derive guidance on where to focus efforts when attempting to increase the average password quality of an Active Directory’s user base. We also cover why attackers love weak passwords, why weak passwords can endanger your entire domain and why password policies are almost useless.
For the password analysis we use a self-developed tool called “Hashcathelper” which will be released as a free open source tool. Hashcathelper helps you crack the output of Impacket’s secretsdump with fixed “boundary conditions”, filters out disabled accounts, outputs statistics about all recovered passwords as well as the top 10 passwords and top 10 basewords and highlights details such as passwords violating the password policy, accounts whose passwords is known to the “Have I been Pwned” project and accounts that reuse passwords.
Thanks to the database of password analyses with fixed “boundary conditions”, we can make precise statements about various quantities such as the average amount of cracked passwords including uncertainties and place it in context with the other organizations whose data was added to the corpus.