<p>Some password policies applied on specific user accounts are not strong enough and can lead to credentials theft.</p>


<p>Weak password policies increase the risk of users creating weak passwords that could allow attackers to steal easily through generic techniques such as brute force attacks, authentication challenge theft, etc.</p>


Privilege Escalation

Credential Access

Initial Access

Valid Accounts

Brute Force

Application of Weak Password Policies on Users

A stolen account could be used during a long period of time by an attacker.

Maximum password age too old

An already used password should not be used again too early. This is even more dangerous with privileged users.

Privileged PSO with a minimum password history too small

Without password complexity, an attacker can use a simple dictionary attack to discover a password. This is even more dangerous with privileged users.

Privileged PSO with a lack of password complexity

A lockout threshold too low increases the likelihood that a password might be found easily by a brute-force attack. This is even more dangerous with privileged users.

Privileged PSO with a too low account lockout threshold

A lockout duration too short increases the likelihood that a password might be found easily by a brute-force attack. This is even more dangerous with privileged users.

Privileged PSO with a Account too small lockout duration

A password stored with a reversible algorithm can be immediately disclosed. This is even more dangerous with privileged users.

Privileged PSO with passwords reversible encryption

A password being too short can be easily guessed by an attacker.

Minimum password length too short for local accounts

Maximum password age too old for local accounts

A lockout threshold too low increases the likelihood that a password might be found easily by a brute-force attack.

Account lockout threshold too low for local accounts

A lockout duration too short increases the likelihood that a password might be found easily by a brute-force attack.

Account lockout duration too small for local accounts

A password stored with a reversible algorithm can be immediately disclosed.

Passwords reversible encryption for local accounts

There is no GPO that defines one of the domain's password settings.

GPO password parameter is missing

The inheritance is blocked on this OU and password parameters are not redefined. So all computers located in this OU will have their OS default settings regarding the local passwords policies.

Password parameter is not propagated nor redefined

Because of the security filtering, the password parameters cannot be applied on all computers which are located in the related linkable container. As a consequence, the values of those password parameters are undefined and use the OS defaults.

Password policy is undefined

An already used password should not be used again too early.

Minimum password history too small

Without password complexity, an attacker can use a simple dictionary attack to discover a password.

Lack of password complexity

Account lockout duration too small

Minimum password history too small for local accounts

Lack of password complexity for local accounts

Minimum password length too short

Account lockout threshold too low

Passwords reversible encryption

A privileged group without PSO uses the domain password settings, which is not precise enough and more than likely not strong enough.

Privileged group without PSO

If no PSO are applied on the domain, then the password settings are managed by GPO in the same way for privileged users and standard users.

No PSO are applied on the domain

If no privileged PSO are applied on the domain, then the password settings management for the privileged users is not strong enough.

No privileged PSO are applied on the domain

A password being too short can be easily guessed by an attacker. This is even more dangerous with privileged users.

Privileged PSO with a too short minimum password length

A stolen account could be used during a long period of time by an attacker. This is even more dangerous with privileged users.

Detections

Analytics

Application of Weak Password Policies on Users

critical

Description

Solution

See Also

Indicator Details