Preempt Blog

The latest insights and advice to keep your company protected from insider threats and breaches

Enterprises continue to suffer from poor password hygiene and a lack of visibility & control over privileged users

It has been more than a year since I last shared Preempt Lite statistics. Last time we shared Preempt Lite statistics we found some alarming numbers. With the end of 2018 approaching, I would like to share with you key findings from Preempt Lite to help you focus on the most important security issues you might be facing.

Preempt Lite – Reminder

Preempt Lite is a free security posture evaluation tools offered by Preempt. The tool monitors various aspects of password and Active Directory security:

  1. Weak Passwords: We define compromised credentials as passwords that exist in well-known password lists. To test this, we’ve created a password dictionary containing 10M of the most common passwords. In a previous blog, this dictionary was used to crack 35% of breached LinkedIn password hashes.
  2. Shared Passwords: We define shared passwords as passwords that are shared by different users (unless the password is extremely weak, two users with the same password could not happen by accident).
  3. Stealthy Admins: We define stealthy admins as user accounts with special permissions over other accounts (e.g., changing a user password, modifying a particular security group) not via AD protected groups, in a way that effectively makes user with permissions equivalent to these of a domain admin. You can get more details regarding stealthy admins here.
  4. Exposed Group Policy Passwords – In the past, it was possible to store passwords in Group Policy Preferences (GPP). However, the passwords stored in the GPP could easily be fetched and decrypted by any user in the network. More details on this issue can be found here.
  5. Password Policy – Preempt Lite also analyzes the domain password policy and assigns a theoretical strength based on the minimal characters you could set and whether password complexity is required.

Poor Password Hygiene - Stealthy Admins

Preempt Lite Findings

Since launching Preempt Lite, about 600 organizations have downloaded the app. More than 100 organizations have chosen to anonymously share security statistics with us. The data collected includes password statistics from several countries (64% from the US, 18% European), and a healthy mix of small (<100 users), medium (100-1000 users), and large (>1000 users) organizational networks. We have found many interesting and surprising statistics regarding how vulnerable most enterprise networks are to these known and simple security vulnerabilities:

  1.  32% of networks had some exposed passwords (GPP passwords)
    Roughly 1 in 3 enterprise networks have some passwords exposed in GPP for any authenticated user to recover. From our experience, these passwords in some cases are applicable and in many cases belong to the administrative accounts (domain or local).

  2. 72% of networks had at least one stealthy admin detected
    In most networks we scanned, we discovered at least one user granted special permissions, not through a protected AD group. One such known account is the MSOL account used for Azure AD Connect. However, in most cases (61%), we found more than just one account with stealthy privileges.
  3. Only 5% of networks had a strong password policy, 23% of networks had a very weak password policy
    In our analysis of password policy, we’ve scored each password policy and divided password policies into three groups – low, medium, and high. A low score was given to policies that either mandate 7 character passwords or mandate password complexity, a medium score was assigned to policies that mandate less than 10 characters (or 9 characters and complexity). Policies that mandated more than 10 characters or 10 characters and complexity were given a high score. Overall, only 5% had a high password policy, and surprisingly, 23% had a low password policy.

    We have further researched the impact of the password policy and the actual strength of passwords in these enterprises and analyzed how many passwords we were able to crack with each policy applicable. Not surprisingly, the better the password policy is, the fewer passwords we were able to crack. More interestingly, the difference between low and medium score is lower than between medium and high. For enterprises with medium password policy scores, we were able to crack roughly 10% of the passwords. For enterprises with a high score for password policy, we were able to crack only 0.8% of the passwords. This is a strong indication that at least 10 characters passwords are crucial for password strength.
  4. Overall, 97% of inspected enterprises revealed at least one security issue.
    Perhaps the most alarming finding we can share is that even though our scan contains only known issues, in almost all networks we’ve scanned we’ve found some security issues. In the minority case where no security issues were found, clients only scanned for one issue (Preempt Lite allows running a subset of inspections).
  5. Bigger organizations have a better security posture.
    We measured the average percentage of users with a weak password (compromised or shared) in each organization size and found that the bigger an organization is, the more secure their passwords are. In large organizations we were able to crack 9% of the passwords, in medium organizations we were able to crack 10% of the passwords, and in small organizations, we were able to crack 16.78% of the passwords.
    This reaffirms our previous research findings.
  6. US-based organizations have the best password quality, Europe came in second.
    We divided the data into US-based enterprises (64%), European-based enterprises (18%), and others. The results clearly show that password quality in the US and Europe is better than the rest of the world with 6.3% of US passwords that were cracked, 12% of Europe passwords, and 18% of the passwords from the rest of the world.

  7. 30% of enterprises improved security metrics in recurring Lite runs
    Some of the enterprises have used Preempt Lite more than once over the last year. In 30% of the enterprises, we’ve recorded an improvement in one of the subsequent runs (many organizations didn’t run the same analysis in different runs). This is a clear indication of the need to constantly monitor security configuration and posture in your network and how Preempt Lite can help with that task.

What’s Next for Preempt Lite?

As cyber threats become more sophisticated, organizations need to take a proactive approach in securing their network. Oftentimes, small and medium organizations suffer the most from the cybersecurity skills gap and therefore need easy tools to efficiently evaluate their security posture and readiness to face outside cyber threats.

Note: Marina Simakov contributed to this post 

Topics: Insider Threats, Passwords, Privileged Users, Stealthy Admin,

Posted by Yaron Zinar on December 19, 2018 6:08 AM


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More


What State-Sponsored Attacks Can Teach Us About Conditional Access

People often think that state-sponsored attacks from groups like Lazarus...

Read More


A Simplified Approach to Network Segmentation

Network segmentation has long been one of the most valuable tools for protecting ...

Read More


10 Things You Need to Know About Kerberos

As our research team continues to find vulnerabilities in Microsoft that bypass all major

Read More


Brute Force Attacks: Denying the Attacker, Not the User

According, close to 8 billion accounts have been compromised...

Read More