Are default passwords hidden in your Active Directory? Here’s how to check

Person looking at cybersecurity risks through a magnifying glass

One of the biggest cybersecurity mistakes an organization can make is not changing a default password. Consider, for example, what might happen if a home user didn’t change the default password on their Wi-Fi router.

A cybercriminal could perform a simple web search to determine the router manufacturer’s default password, and then log into the router. From there, the criminal could possibly change the router’s password, effectively locking out its owner.

The problem, as this example illustrates, is that default passwords are well-documented and easy to exploit, both at home and at work. In fact, many password spray attacks specifically target default passwords.

Atlassian has a product called Confluence that works as a remotely accessible collaborative workspace. In addition to the main Confluence app, the company also makes a supporting app called Questions for Confluence. Downloaded thousands of times, this app automatically creates a default username and password that are used to facilitate the migration of customer data from the app to Confluence Cloud.

Unfortunately, someone was able to figure out the default username and password that was encrypted in the app and leaked the decrypted credentials online. An attacker who knows these credentials can take full control of any unrestricted page within Confluence.

Worse yet, uninstalling the Questions for Confluence app doesn’t fix the problem because the credentials remain in place even after deleting the app.

Atlassian has released a patch that will help protect vulnerable systems, but also asks affected customers to remove or disable the account named disabledsystemuser.

Although this particular incident was specific to Atlassian, it underscores the dangers posed by default passwords.

Are Default Passwords Inevitable?

Unfortunately, default passwords can be difficult to bypass. Every organization uses them in at least some capacity. Think about your own organization and the process you currently have for creating new user accounts. Most likely, those accounts are initially assigned a default password that must be changed the first time a user logs in.

The problem with this is that there may be accounts lurking within your Active Directory that were created, but never used. Imagine what could happen if a new employee were hired, but didn’t show up (a relatively common occurrence). An account may already have been created for the employee, and unless the organization has a policy to delete the account, it could exist indefinitely, with a default password.

Track irrelevant default passwords

The question is, how can you track down default passwords on your network once they are no longer useful? One of the best options is to use a free, read-only tool called Specops Password Auditor.

Although this tool does not crack passwords, it can tell you which of your users is using duplicate passwords. That being the case, you can create a new account with a default password and then run a report to find out if any other accounts are using the same password as the account you just created (ie the default).

By the way, this report is also good for finding service accounts that use identical passwords or administrators that use the same password for their privileged and non-privileged accounts.

It’s worth noting that Specops Password Auditor can do much more than just check default passwords. You can also use it to locate users who have not changed their passwords for an extended period of time (which may indicate that the account has been abandoned).

Similarly, you can check for things like expired passwords, blank passwords, or passwords that are known to have been compromised.

Avoid using third-party default passwords in your Active Directory

The other thing you need to do is make sure there are no vendor default passwords within your Active Directory environments. One of the best options to avoid these types of passwords is to use the Specops password policy, which allows you to create a custom list of prohibited passwords.

You can then populate this list with passwords that hardware and software vendors use by default. That way, if someone tries to use one of these default passwords, they won’t be able to because they are a security vulnerability.

You can try the Specops password policy in your Active Directory for free, at any time.

Sponsored by Specops

Leave a Comment