NCSC / GCHQ on Common Passwords used

Time to read: 10 mins

I’ve recently had the opportunity to work with NCSC (National Cyber Security Centre) a part of GCHQ (Government Communication Headquarters) on the common passwords and the security risks.

10,000 of the most common passwords have been researched and released by the NCSC, and we have worked on developing a script that can work with your Domain Controllers Active Directory to fish out how many user accounts have a “common” password found within the list.

It is a fairly complex script that is run in Windows Powershell to search the active directory backbones to see how many users are running a “common” password from the list of top 10,000 passwords. If one or more results are found you have the opportunity to tweak the script (with 1 line of code) to display the user accounts that have these weak passwords on your network. 

Of course, this script needs to be run by a user of the “Domain Admin” role.

In my opinion, this is something that should be run fairly often to fish out any of your users on the network and help them understand the true consequences, think of it as your home – you wouldn’t have just a bolt-on your door to protect your entire house – you’d have a lock with a key. (as it’s more secure!)

Some top security tips for your network & users:

  • Add a group policy to use Windows Password Complexity.
    (passwords must be more than 8 characters long, with 1 uppercase, 1 lowercase, 1 symbol, 1 number and not be the same as the last 5 passwords used and expire every 90 days).

  • Don’t give unnecessary access to users – if they don’t need it. Just because the boss of the company is the boss, it doesn’t mean he/she should have full domain admin rights.

  • Use passphrase’s rather than passwords (the longer the password, the harder it is for a hacker) – i.e. “iLov3Mond@ys!!” …not that anyone does.!!

  • Train your staff to lock computers when not at their desks 
    (or better still, have a group policy to enforce locked computers after x mins of inactivity)

  • Remove any networking patching sockets that aren’t in use.
    (if a member of the public came along to plugin, they could gain access to your network)

  • Don’t share passwords (Not even with the IT Department!)

  • Don’t use the same password for everything – especially your email account.
    (if you forget a password usually a password reset form is sent to you via email – Bingo your life ruined).

  • Be careful about what you post online – such as social media profiles.

There are plenty more additional security tips to add, but this will get you going on some of the basics and fairly easy and quick to implement across your network.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.