Specops Software – Password Security: How to Use the NCSC Password List in Your Active Directory

David Howell,
What is a Brand Discovery ?

How strong is your business’s password security? Learn how including the NCSC Password List in Your Active Directory can have a dramatic positive impact on your password security

As passwords continue to be one of the weakest aspects of security in your business, discover how using the NCSC Password List in your Active Directory (AD) can deliver robust, agile, and dynamic password security across your enterprise.

The threat perimeter of your business has changed. As remote mass working has become the norm, how your staff login into your systems to access highly sensitive information must be secure.

However, as the password continues to be the most convenient method of access authentication, is your business’s password security policy strong enough to withstand extensive cyberattacks that are on the rise?

According to research carried out by Specops Software, people still prefer traditional authentication methods over biometric authentications, with 78% saying they feel most comfortable using traditional passwords.

However, 61% of businesses don’t require strong or complex passwords for employee profiles. More than half (51%) of companies have seen a rise in cybercrime since working from home became the norm. Also, two in five (44%) admit to not fully understanding specific password protection terms. And just 26% of businesses enforce strong multi-factor password authentications for employees.

Employees might feel more comfortable using passwords, but as Verizon discovered, 80% of all breaches are connected with compromised credentials or weak passwords!

Darren James, Product Specialist, Specops Software, explains: “There are a few challenges facing businesses when it comes to designing secure password protocols: The biggest being user training. For the last 20 years, users have been brainwashed into thinking that a password with a capital letter at the beginning, a few lower-case characters in the middle and a number at the end is a perfectly secure password. For example, ‘Password1.’ But of course, we know that’s not the case.”

Password security

The UK’s cybersecurity authority, the National Cyber Security Centre (NCSC), has produced a list of the top 100,000 passwords, which can strengthen password security within a company’s AD.

Using a disallowed password list is a little like ensuring your business has up-to-date antivirus definitions. If you know the most common passwords that may be compromised, you can set up your systems to combat any breaches that might occur.

Why? Simply because hackers also use these passwords lists and use a password spraying technique to find weak points of access in a business’s network security. Building a list of disallowed passwords into your company’s AD is an essential first line of defense against password attacks.

Helping hands

An essential first step all businesses should take to overhaul and update their password security is to perform an audit. Specops Software’s Password Auditor is a free tool that scans your business’s AD and identifies any potential password related security vulnerabilities.

The Password Auditor has several vital features, including:

  • Overview of password policies, including change interval, dictionary enforcement, as well as relative strength.
  • Identify accounts using leaked passwords.
  • Identify user accounts without a minimum password length requirement.
  • Identify dormant user accounts.
  • Password expiration reports curbing password-related helpdesk calls.
  • Use standalone or integrate with Specops Password Policy.
  • Export report data to CSV for further processing.
  • Generate an executive summary PDF report to share your results with decision-makers.

Darren explains: “The Specops Password Auditor is a powerful free tool that can show you exactly how vulnerable your organization is against breached passwords. It offers an automated approach to scanning Active Directory against the NCSC password list.” 

“You can also use the tool to audit various password-related liabilities and, produce password audit reports that can be shared with budget holders and executives. Specops Password Auditor offers a password compliance report. The report will measure each password policy against the password settings (maximum length, maximum age, password history, complexity, etc.) recommended by NIST, NCSC, PCI, SANS, and more.”

After your password audit and the implementation of the NCSC’s disallowed password list into your AD, your password security’s final component is to create a policy your staff can follow. The Specops Password Policy service offers:

  • Custom and leaked password dictionary lists and password hash dictionaries.
  • Breached Password Protection, including more than two-billion leaked passwords.
  • Find and remove leaked passwords in your environment.
  • Block the use of character substitutions (leetspeak) and keyboard patterns (including European keyboard patterns).
  • Informative client messages when a user fails to meet password policy rules.
  • Length-based password expiration with email notifications.
  • Block usernames, display names, specific words, consecutive characters, incremental passwords, and reusing a part of the current password.
  • Passphrase support.
  • Over 20 languages supported, including English, French, Spanish, Russian, and Chinese.
  • Use Regular Expressions to further customize requirements.

Specops Software’s password security tips

Enforcing users to use a passphrase, made up of 3 memorable words with at least 5 characters in each word, and maybe a special character thrown in somewhere would be a much tougher password to cracker than a shorter but more complex one. They are also less likely to write it down as well.

Providing that the user has chosen a password that is over 15 characters in length (longer is stronger) we are happy for that user to keep that password for longer – maybe up to year, but it’s always good to have some expiry time just in case. It’s still a good idea to stop users reusing old passwords, so keeping a password history of the last 24 (maximum) that have been set is also still recommended. Obviously different regulatory bodies might have different recommendations, but this is usually a good starter.

While strict security measures include other steps such as VPN protection for internal resources, trusted firewalls, and anti-malware software, password management plays a significant role in system protection. Using these tips in day-to-day administration management will limit the number of successful breaches connected to weak passwords, thus increasing the overall IT estate’s integrity.

As your business enters a post-COVID-19 world, security should be at the top of your agenda. Passwords continue to be the mainstay of network access security. Ensuring your business’s AD and the systems it supports have current, robust, and agile password security protocols and policies are a core component your business should be built upon.

Try Specops Password Auditor to scan your environment for vulnerable passwords

Discover how Password Auditor can scan your environment for vulnerable passwords to ensure your systems are fully protected with world-class password security.

Contact us