Weak Password Policies

Description

Flat or outdated password policies enable attackers to obtain initial access via password spraying and brute-force attacks, then expand access through credential reuse. Common gaps include short minimum length, no banned-password checks, weak or predictable service account passwords, unlimited or high-threshold logon attempts, and legacy protocols that reduce effective entropy. Weak service account passwords are especially damaging because they are often tied to SPNs (Kerberoasting) or broad privileges.

Examples

Kerberos Password Spraying

Perform a low-and-slow spray against Kerberos to avoid account lockouts while validating many usernames at once:

kerbrute passwordspray -d corp.local --dc 10.0.0.10 users.txt 'Winter2025!'

Successful results demonstrate weak policy enforcement and often reveal reuse across multiple accounts.

SMB/NTLM Password Spray

Spray a candidate password against SMB endpoints across a subnet to find valid pairs:

crackmapexec smb 10.0.0.0/24 -u users.txt -p 'Summer2025!' --continue-on-success --local-auth

Even one success can lead to lateral movement and privilege escalation if local admin reuse is present.

Inspecting the Effective Domain Policy

Verify the policy that enables these weaknesses from a domain-joined host:

Get-ADDefaultDomainPasswordPolicy | Select MinPasswordLength, MaxPasswordAge, LockoutThreshold, ComplexityEnabled

If MinPasswordLength is low, ComplexityEnabled is False, or LockoutThreshold is high/disabled, the environment is at risk.

Test legacy protocol acceptance

# On a test workstation
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LmCompatibilityLevel

If LM/NTLMv1 are permitted in the domain or on critical servers, effective password strength is reduced.

Remediation

  1. Enforce strong, modern password policy
    • Minimum length of 14–16+; prefer passphrases.
    • Enable complexity, history, and reasonable maximum age or periodic verification.
    • Deploy banned-password checks (e.g., Azure AD Password Protection) to block common patterns.
  2. Implement smart lockout and throttling
    • Enable Azure AD Smart Lockout or on‑prem lockout tuned for low‑and‑slow spraying.
    • Monitor spikes in 4625/4771/4776 and apply progressive delays.
  3. Harden service account credentials
    • Move to gMSA/MSA for on‑prem services; rotate automatically.
    • For legacy accounts, set long random passwords and reduce privileges.
  4. Remove legacy/weak protocols
    • Disable LM/NTLMv1; require NTLMv2 or Kerberos with pre‑authentication.
    • Prefer modern auth and certificate‑based or device‑bound factors where possible.
  5. Defense in depth
    • Implement password filters/banned lists; enforce MFA for remote access; block anonymous binds; segment admin workstations.