Active Directory Password Blacklisting presented at BSidesLasVegas 2018

by Leeren Chang,

Summary : Active Directory remains the most popular corporate solution for organizing devices and users on a network. Central to its responsibilities is providing user authentication and authorization. In particular, password authentication through Active Directory necessitates the use of the strongest defense mechanisms possible. However, the common corporate pattern of enforcing higher complexity passwords by increasing entropy remains an anachronism. This trend of constantly increasing password complexity is not only counterproductive due to its restrictiveness, but is also insecure due to its lack of defense against dictionary-based attacks. With the plethora of attacks centered on brute-forcing and commonly-used passwords, many corporations are falling victim to these attacks despite supposedly strong password enforcement.The solution to these problems is integration of password blacklisting directly into Active Directory, a countermeasure that has yet to reach widespread corporate adoption. This talk will provide a run-down on how corporations can install their own Password Filtering service directly into Active Directory using either in-house solutions or existing ones, and outline why this helps improve overall security and productivity. As an example, I will talk about how Yelp recently deployed this type of solution to improve our authentication flow.