If you haven’t yet read Part 1 of this two-part blog series, The Dark Side of Passwords, take a look! It will give you a basic understanding of how passwords are stored, along with the most common adversarial cracking techniques.

Read Password Security, Part 1: The Dark Side of Passwords >

Now, let’s take a deeper dive into the human factor. Most people are used to creating a password for everything these days. Online banking, social media, email, and their work accounts… the list goes on. Between the sheer volume of passwords and password rotation requirements, people cope by using predictable patterns, which weakens password security.

Identifying these patterns allows an individual to significantly increase the chances of cracking a password. When a set of hashes leaks from something like a NTDS dump of an AD Domain, attackers gain insight into your organization’s patterns. After analyzing enough organizations, certain patterns also begin to take shape across most organizations. This leads to some common conventions that can be leveraged to significantly increase the chance of cracking a password. We are going to dive into a few of these below.

Predictable Patterns that Undermine Password Security

The most common password security issue is a predictable pattern. People usually think they are being clever. No one would ever guess the pattern they’ve chosen. This assumption leads to those exact passwords being part of that 40-50% cracked that I mentioned in the previous post. More times than not, as humans we favor convenience over security. As long as the password meets the requirements in place by the organization, most users believe that it is strong enough. A few of these common patterns are listed below: 

• Keyboard patterns (qwerty, asdf, 1234567890, qwertyasdf)
• Names and birthdays (Amanda96, Michael2008)
• Slight password mutations with common words (e.g., Password1!, Welcome123!)

Dictionary and ruleset attacks easily crack these patterns. 

Through experience, I have come to find that “complexity requirements” tend to lead directly to a common pattern:

• First,  people will capitalize the first letter of a word while keeping the remaining letters lower case. 
• Next,  the user adds an incremented number and a special symbol at the end of the word

This pattern of convenience usually results in an exclamation mark as the special character. It’s the first one on the keyboard and easily recognizable. People using these conventions create passwords that may seem secure like Football01! or Sandwich89! However, common attacks easily crack this predictable pattern.

The Problem with Password Reuse

Another common pitfall that users stumble into is password reuse. Sometimes it’s one user using the same password across multiple platforms. Alternately, it’s a series of users using the same “clever” schema to meet their organizations password complexity requirements. More times than not, my initial entry vector into an organization is through easily guessable passwords that passed the complexity test. A common example of this is using something like the current season and year with an exclamation mark. Given the time of writing this blog that would be something like Spring2025!.

If you are reading this and your password falls into this “reuse” category, please go change it immediately! While I would love nothing more than to gain an immediate foothold in my pentest, I would likely not be the only one.

Defending Against Attacks

For those of you that are reading this going “How can I stop someone from making these mistakes in my organization?” The answer is simpler than you might think. Taking advantage of built-in password filtering lets you block-list certain words. Users who try to include common words like the season or company name are met with a policy violation alert. While you may upset some by this, you will make a huge stride forward in protecting your organization.

Additionally, you can increase the minimum password length to twelve characters. With current password cracking capabilities, brute force attacks cannot easily crack passwords that are ten characters or more. This reality will inevitably change with technology and technique advancements. For now, enforcing a 12-character password minimum length introduces enough complexity to keep most passwords safe from brute force techniques.

One of the best security practices is the enforcement of multi-factor authentication (MFA). Most organizations have implemented MFA for external systems accessing internal systems. Email or logging into the company’s VPN for the day are commonly protected by MFA. However, I have yet to run into a single organization that has implemented multi-factor authentication within their internal environment. Due to implementation complexity and the additional time it would take for employees to authenticate regularly, most organizations skip this essential defense.

Proven Solutions for Better Password Security

If you want to take your password security to the next level, you can look at stronger enterprise solutions. These include  password managers  and training for employees. You’ll want to ensure that your employees leverage the password manager to generate passwords instead of creating them manually. In doing so, each password is random, complex, and of sufficient length to help negate these attacks. 

Additionally, you can investigate other options such as security keys or biometrics, depending on the level of security required. While these may be viable on a smaller scale, for the average organization this may be a little challenging to implement. 

It is important to remember that none of these steps will really mean anything if the organization does not have a robust password policy. While you may know the restrictions put into place within your password policy and block-list, even as a domain administrator, you only have access to pull the NT-Hash of users. Unless you crack each NT-Hash, you truly have no idea what passwords your employees have chosen, nor do you know their strengths or weaknesses. To gain some insight into how effective your current password health is for your organization, I would recommend looking into a credential audit assessment.

Your Best First Step: A Credential Audit Assessment

Whether you’re a red-teamer, a security analyst, or just a tech-savvy user, understanding the techniques outlined here is essential to both offense and defense in cybersecurity. Moreover, if you would like to know where your weaknesses lie within your organization’s password usage, I would recommend looking into a credential audit assessment. This is a specialized penetration test offering where a skilled GuidePoint consultant takes a deep dive into the passwords used by your organization through imploring the techniques mentioned above tailored to your organization to crack as many passwords as possible.

As an example of how effective the insight from a credential audit assessment can be, I will provide real metrics from an actual organization that shall henceforth be named ACME, Inc. ACME reached out to GuidePoint to perform an Internal Penetration test where we achieved Domain Administrator access, performed a DCSync attack, and did basic password analysis where we successfully cracked roughly 60% of their user’s passwords. Concerned by this number, ACME reached out to GuidePoint for a credential audit assessment and guidance on how to get this number significantly lower. After following our recommendations, we were only able to successfully crack around 25% of their users’ passwords. This significantly strengthened their security posture by gaining insight into their actual password security.

Once a credential audit assessment is complete, you can analyze trends and uncover weaknesses that may exist with the passwords chosen by your employees. This insight will include things such as number and percent of passwords cracked, number of LM hashes uncovered within the environment, same passwords reused throughout the environment, common password trends and patterns, as well as additional metrics.

Conclusion

GuidePoint Security can help you safeguard your organization against one of the most common footholds into any environment: weak passwords. Contact us today to set up your credential audit assessment. Let us help uncover the dark side of passwords within your organization and put you on track to a bright and resilient future.

Contact us >