The Breached Password Test (BPT) is a free tool that analyzes the accounts in your Active Directory (AD) for numerous types of vulnerabilities. BPT will check if any user email addresses at your domain have been involved in past credential breaches and if any AD accounts are currently using passwords that were involved in past credential breaches. Using this test will increase your organization's awareness by letting you know if you're susceptible to a password-related attack.
Why use Breached Password Test?
The general public often uses passwords across many accounts. Users often aren't aware when breaches they're involved in have taken place. Therefore, they don't take responsive actions such as changing passwords across their online accounts.
Once a breach occurs and credentials are leaked, the bad guys can easily find this information and use it to impersonate the affected users. They will also try to use the leaked password against all accounts under your domain, which increases the likelihood of a successful intrusion.
With new breaches occurring every day, use this tool in addition to the security measures you already have in place to reduce the risk that data breaches pose to your organization. At a minimum, we recommend using this tool once a month.
How Does it Work?
The Breached Password Test will connect to your AD to retrieve your domain(s), as well as the password table (containing hashed passwords) and encryption algorithm. The tool then analyzes your domain and passwords against a database of breached data, containing over one billion leaked passwords.
Is My Information Safe?
Yes. It's important to note that this tool will never display or report the actual passwords of any user accounts in your AD; nor will the tool display or report the original credentials in use during the data breach associated with your domain. The passwords within your AD are in a hashed format and will never be visible at any point. The test results will identify the accounts with vulnerable passwords in use, so you have the option to remedy the situation.
When using this tool, no confidential data leaves your network, only the domain or domains within your Active Directory are transferred for the test. The information obtained during the test is saved in local memory, not to disk.
System requirements/prerequisites
System Requirements
To run Breached Password Test, the system you use must have the following:
- Windows 10 or later (32 or 64-bit), Windows Server 2016 or later
- Active Directory (AD), running on Windows Server 2008 R2 or later
- Ability to access the domain controller (DC)
- Internet access
- .NET Framework 4.7.2 (will be installed if needed)
- At least two processors
- At least 2GB of RAM
- At least 1GB of hard disk drive (HDD) space available on your system drive
- User Account Control (UAC) enabled
You should also run this test on a system other than your DC as the scanning process can temporarily generate significant network traffic and CPU usage.
Prerequisites
For installation, you will need the following information:
- A license key, emailed to you upon signing up for the test
- Domain name of your AD (for example: MyDomain.com or MyDomain.local)
- Name of your Domain Controller (DC)
- Credentials to connect to your AD
- This article will show you how to quickly add these required permissions to an account in your AD: How to Grant "Replicating Directory Changes" Permissions
- A domain admin does not have permission by default to access this information, so using the tool with a domain admin account will not necessarily allow you to run the test successfully.
- We strongly recommend creating a new account in the AD with these permissions for the purpose of running this test. Once the test is complete, you should delete this new account in accordance with the principle of least privilege.
- Why create a new account? Creating a new account will make it easier to determine when this test took place and which account accessed the information, should you need to look for that information in the future. It also makes it easier to remove those permissions: once the test is done, simply delete the newly-added user account.
- IMPORTANT! The credentials you use to connect to AD with Breached Password Test must have "Replicating Directory Changes" and "Replicating Directory Changes All" permissions for the test to run successfully. This permission allows you to obtain a copy of your password table for analysis.
Installation and setup
Once you’ve met the system requirements and prerequisites, you can install and set up BPT. To install and set up BPT, follow the steps below:
- First, make sure you read the system requirements and prerequisites (above) prior to installation. Then, sign up for your free Breached Password Test by navigating to https://www.knowbe4.com/breached-password-testUpon signing up, we will email you a unique license key, which you'll need to enter prior to running the test.
- From the Breached Password Test 'Thank You' page, download and run the EXE installation file. If you'd like, install the optional Checksum file. Review and agree to the License Agreement and then click "Install" to complete the installation. Breached Password Test will be automatically saved to your desktop.
- Click Yes if prompted to allow it to run.
- Click Yes if prompted to allow the program to make changes to your computer.
- Enter your unique License Key, which was emailed to the email address you signed up with. Click OK.
- Next, you'll need to enter the details listed below.
- The username and password for the account you created which has "Replicating Directory Changes" and "Replicating Directory Changes All" permissions
- Name of your Domain Controller (DC) (For example, 10.20.10.10)
- Domain name of your Active Directory (For example, mydomain.com or mydomain.local)
- After entering the above information, click Start Test when you are ready to begin your test.
The test will first analyze the domains in your AD for involvement in data breaches. It will then compare the current passwords in your AD with the passwords that were found in data breaches that user(s) at your domain were a part of.This process usually takes less than a minute to complete, but may take longer depending on your Active Directory and workstation performance.
Your results will be displayed on-screen as soon as the test is complete.
Analyzing your results
The results of Breached Password Test will show you whether accounts using your organization's domain has been included in a breach. Furthermore, it will show if passwords leaked from those breached accounts are in use in your AD accounts today. Note, disabled AD accounts are not included in your BPT scan.
Your test results will produce one of the following three scenarios:
Scenario 1: "Great News! Your domains were not found in the current list of breaches."
If your Breached Password Test results produce this outcome, it means the test has scanned the domain(s) in your AD and did not find any matches between accounts using your domain and the accounts in the Breached Password database.
Be sure to continue to run this test on a weekly or monthly basis, as new breach data will be added regularly.
Scenario 2: "XX Passwords for your domain found in breaches. None of these passwords are currently in your Active Directory."
If your Breached Password Test results display this outcome, it means the test has found one or more of your domains involved in breaches. However, the passwords associated with these accounts during the data breach are not currently in use in your AD.
This is a fair test result, however, users are known to revert to old passwords. Therefore, be sure to run this test on a regular basis to proactively mitigate this vulnerable scenario. We recommend stepping your users through security awareness training, as users who have been involved in data breaches are more likely to become social engineering or spear phishing targets.
Scenario 3: "XX Accounts currently using breached passwords. XX Passwords in your domain found in breaches"
If this message is displayed for your test results, a call to action should be implemented for the affected accounts. The interface lists the vulnerable Active Directory accounts that are using passwords that were leaked during a breach. The bad guys can easily find and use these passwords against your users–making your organization more prone to an intrusion.
We strongly suggest having the affected users change their passwords as soon as possible. Because users commonly revert to old passwords, after you've remedied this situation, make the Breached Password Test a part of your ongoing security controls and run it on a regular basis.
Exporting results
You can view your results on-screen instantly, but you can also download the results to disk as an Excel Spreadsheet (.xlsx) or PDF. You should save your results if you plan on re-running the test.
To save your results click Export to Excel or Export to PDF (as shown below). A prompt will appear that will allow you to name your file and choose where to save it.
Frequently Asked Questions (FAQ)
1. Can I see what the breached passwords are?
No. The passwords are hashed and cannot be displayed.
2. Are there any log files generated during the test?
Yes, a log file is created the first time you run Breached Password Test. The file can be found under C:\Program Data\KnowBe4\Breached Password Test.
3. I received an error message and my test did not run. What do I do?
If you received an error and could not complete the test, check the chart below to analyze what the issue may be:
Error Message | Issue |
The Active Directory account you are attempting to run the test with does not have Replicating Directory Changes Permissions. Please view the required Prerequisites in our manual, linked below. | The account you are using for the test does not have the proper permissions. Make sure you've created an account with Replicating Directory Changes AND Replicating Directory Changes - All Permissions. See above. |
Test was unable to run due to invalid user name and/or password. Please check your credentials and try the test again. | We were unable to connect to your AD using the credentials you provided. Make sure your user name and password are correct and try to run the test again. |
Server is unavailable. Please check your Domain DNS Name and try the test again. | This means your Domain DNS name is incorrect, or incorrectly formatted. Make sure you use the format of domain.com or domain.local and attempt to run the test again. |
Server is unavailable. Please check your Domain Controller and try the test again. | This means your Domain Controller IP is incorrect, or incorrectly formatted. Double check the IP and attempt to run the test again. |
The license validation failed. | This is likely to mean one of two things: a) either the license key you are using is invalid, or b) you are attempting to validate the license key through a proxy and it is failing as a result of that. If the error is due to a proxy, simply allow connections to this domain in your proxy settings to allow the validation of your license key to occur: https://bpt.knowbe4.com/* |
4. Can I run this test if I'm using Azure AD?
No. This tool will only work with a local AD.
5. My anti-virus flagged this as dangerous. Is it?
No, it is not dangerous. Breached Password Test's behavior could mimic that of a password-cracking tool used by hackers, which is why your antivirus may have flagged it as potentially dangerous.
6. I have several users with breached passwords. What do I do now?
First and foremost, have your users change their passwords immediately.
Secondly, train your users on proper password practices with security awareness training, and remind them of these practices often. It is important to tell your users not to use reuse passwords across different accounts. KnowBe4 offers several courses covering proper password practices, which you can train your users with.
While we cannot advise you on the specifics of how to prevent password vulnerabilities in your organization, we can point you in the direction of some great resources which can help.
- TechNet: Configuring Password Policies
- TechNet: Best Practices for Enforcing Password Policies
- Microsoft: Password Guidance (Downloadable PDF)
7. Where do you get your breach data from? Can I see it?
The data used for Breached Password Test is obtained through researching publicly-available breach information. For privacy and security purposes, the Breached Password Test database is proprietary information. Additionally, KnowBe4 partners with Spycloud.com to search past breaches. Spycloud is a well-respected online resource which specializes in allowing users to search for their email address to see if their information has been made available in past data breaches.
8. Is there a way to see which of my users have had their details leaked?
For privacy and security reasons, the Breached Password Test cannot provide details about the original breached account that was associated with your domain. However, if you sign up for or review your EEC Pro results, you may find more information on specific breaches your users have been involved in.