Password Exposure Test Product Manual
The Password Exposure Test (PET) is a free tool that analyzes the passwords of the accounts in your Active Directory (AD) for numerous types of password vulnerabilities. Using this test will increase your organization's awareness by letting you know if you're susceptible to a password-related attack.
The PET results will display which user accounts failed the test, and what vulnerability or vulnerabilities they failed with. This information can empower you to enhance your internal security measures by training your users about password safety, enhancing your password complexity rules, or taking other actions to bolster your cybersecurity posture.
Use the jump links below to learn how to install PET and understand your results.
How Does the Password Exposure Test Work?
The Password Exposure Test analyzes the following AD information in order to check for weak and vulnerable passwords:
- Your AD password table (containing hashed passwords)
- The encryption algorithm of your AD password table
- The primary domain found in your AD tree
The PET also uses your business email domain to assess the amount of data that is publicly available about your organization.
It is important to note that this tool will never display or report the actual passwords of any user accounts in your AD. Passwords within AD are in a hashed format and will not be visible at any point. The test results will simply identify the user accounts which fail the test so you can decide how to remedy that.
Additionally, the data pulled from AD is encrypted. The information obtained during the test is saved in local memory, not to disk. Your domains are the only data transmitted to us from your AD at any point during the test.
To run the PET, the system you use must have the following:
- Windows 7 or higher (32 or 64-bit)
- Active Directory, running on Windows Server 2008 R2 or greater
- Ability to access the domain controller (DC)
- Internet access
- .NET Framework 4.5.2 (will be installed if needed)
- 300 MB hard disk space
You should also run this test on a system other than your DC as the scanning process can temporarily generate significant network traffic and CPU usage.
For installation, you will need the following information:
- A license key, emailed to you when you sign up for PET
- Domain name of your Active Directory (For example: MyDomain.com or MyDomain.local)
- Internal IP of your Domain Controller (DC)
- Credentials to connect to your AD
- IMPORTANT! The credentials you use to connect to Active Directory with Password Exposure Test must have“Replicating Directory Changes” and “Replicating Directory Changes All” permissions for the test to run successfully. This permission allows you to obtain a copy of your password table for analysis.
- This article will show you how to quickly add these required permissions to an account in AD: How to Grant "Replicating Directory Changes" Permissions
- A domain admin does not have permission by default to access this information, so using the tool with a domain admin account will not necessarily allow you to run the test successfully.
- We strongly recommend creating a new account in AD with these permissions for the purpose of running this test. Once the test is complete, you should delete this new account in accordance with the principle of least privilege.
- Why create a new account? Creating a new account will make it easier to determine when this test took place and which account accessed the information, should you need to look for that information in the future. It also makes it easier to remove those permissions: once the test is done, simply delete the newly-added user account.
Installation and Setup
Before you begin, be sure to read the system requirements and prerequisites (above) prior to installation. Then, follow the steps below to complete the install.
- Sign up for your free Password Exposure Test by navigating to https://www.knowbe4.com/password-exposure-test
Upon signing up, we will email you a unique license key, which you'll need to enter prior to running the test.
- Download and run the installer file for Password Exposure Test. Review and agree to the License Agreement and then click Install.
- Click Yes if prompted to allow the program to make changes.
- The installation will begin, click Launch once the installation is complete.
Click Yes if prompted to allow the program to make changes.
- Enter your unique License Key, which was sent to the email address you provided when signing up. Click OK.
- Enter the following credentials, as shown in the image below.
- (a) The Domain name (DNS) of your Active Directory (For example, mydomain.com or mydomain.local)
- (b) The internal IP of your Domain Controller (DC) (For example, 10.20.10.10)
- (c) The Username and Password for the account you created which has "Replicating Directory Changes" and “Replicating Directory Changes All” permissions
The test will analyze your organization's AD accounts and your results will be displayed on-screen as soon as the test is complete. This process usually only takes a moment to complete but may take longer depending on your AD and workstation performance.
Analyzing Your Results
The Password Exposure Test results show the total number of AD accounts checked and specifies the number of accounts which are vulnerable, or not vulnerable.
Each of your AD accounts will be listed in the results table and a checkmark will indicate the specific vulnerability or vulnerabilities found on that particular account. You can also search for a specific account by entering characters into the search box.
The test also performs a data exposure assessment and calculates an Exposure Level percentage and Risk Distribution pie chart for your organization.
Refer to the details below to learn more about the different types of results available in your PET.
1) Vulnerable Accounts: Lists the total number of accounts that were assessed and found to have vulnerabilities.
2) Not Vulnerable: The number of accounts that were assessed and determined to not have vulnerabilities.
3) All Accounts: The total number of accounts assessed during your test.
4) Found Vulnerabilities pie chart: Compares all of the password vulnerabilities found in your AD and indicates which vulnerabilities are most prevalent in your organization.
5) Risk Distribution pie chart: A visual representation of the severity of the data that is publicly-available about your organization. Hover over the pie chart to identify the two segments, or "ranks" of data exposure results, outlined below:
- High Risk: Results were found in publicly-available breach data, which could contain sensitive personal information about your employees. This information can be used to create a sophisticated social engineering attack against individuals or an organization.
- Very High Risk: Results were found in publicly-available breach data, where passwords were leaked during the breach. These password breaches included cleartext passwords or password hashes.
6) Exposure Level: The percentage of your employees that were found to have publicly exposed data. Any account meeting at least one of the following failure types (found in the PET results table) contributes toward this percentage: Sensitive Info Exposed, Password Info Exposed, or Breached Password.
For more information on these failure types, please see the Additional Results section below.
7) Failure Types/Vulnerabilities Found: You can click each of the failure types in the panel on the left-hand side to filter the results to only show the accounts having that vulnerability. See the next section for details on these failure types.
Failure Types/Vulnerabilities Found
The Password Exposure Test analyzes your data to look for over 12 different failure types which can leave your organization vulnerable to an attack. The following table explains each of the primary PET vulnerabilities included in your results.
|1) Weak Passwords
The affected account's password matched one of those listed in our Weak Password dictionary (see FAQ #6, below).
These passwords are either very common, easy to guess, or have been made available to attackers because of past data breaches.
|2) Breached Password
The affected account's password matches a password that was associated with an email address at your domain–at the time of a data breach. Your AD accounts are checked against a database of breached data that contains over one billion leaked passwords.
When credentials are leaked during any breach, the bad guys can obtain this information and use leaked passwords against–not only the account the password was breached from–but all accounts under your domain, increasing the likelihood of a successful intrusion.
|3) Password Info Exposed
The affected account has been found in publicly-available breaches that contain either cleartext passwords or password hashes.
This leaked credential information makes the account a target for attackers who could use this data to gain unauthorized access to systems.
Note: The results for this failure type are found in the fourteenth column in the results table.
|4) Non-Unique Passwords
The affected account shares a password with at least one other account in your AD.
|5) Empty Passwords
The affected account does not have a password defined.
|6) Clear Text Password
The affected account has a password stored in clear text. This means the users' AD passwords are stored using reversible encryption.
|7) Password Not Required
The affected account has the capability of having no password.
|8) Password Never Expires
The affected account does not have a password expiration date specification.
|9) LM Hashes
The affected account uses a LAN manager hash. This an antiquated method of hashing passwords. These passwords are vulnerable to brute force attacks and can be cracked by hackers within seconds.
|10) AES Keys Missing
Accounts affected by this were set up using older functional AD levels and as such have no Advanced Encryption Standard (AES) keys. As such, they use weaker encryption methods.
|11) DES-only Encryption
Affected accounts were set up using the older and since retired Data Encryption Standard (DES) mechanism. This could be a result of old software which doesn’t know how to react to AES.
|12) Pre-authentication Missing
Affected accounts have an important security mechanism turned off which can open up the account to offline, difficult-to-detect brute force attacks. The security mechanism, when enabled, creates an encrypted authentication request so that attempts to authenticate to the account are logged.
The following are additional columns found in the PET results table, which are not explained in the Failure Types table, above. These additional details and failure types can help to determine which of your AD accounts are the most vulnerable, and therefore in need of the most immediate attention.
- Domain: Signifies which Domain is used in the corresponding AD account.
- Sensitive Info Exposed: The affected accounts were found to have some of their identity information publicly visible, leaving them susceptible to phishing attacks.
- Social Info Exposed: The affected account was found to have a public social media presence.
- Password Last Modified: The date the password was last changed for the corresponding AD account.
- Breach Entry Timestamp: The approximate date that the affected account was last involved in a breach.
Please see below for additional information about where we obtain our breach data.
- Breach Info: Describes the type of breach the account was involved in (i.e., how the breach occurred, and what type of sensitive data was leaked as a result (if this information is available)).
Please see below for additional information about where we obtain our breach data.
Frequently Asked Questions (FAQs)
1) I had several users fail the test. What do I do now?
First and foremost, have the users with vulnerable accounts change their passwords immediately.
Secondly, train your users on proper password practices with security awareness training and remind them often. It is important for them to know that hackers can crack a password within seconds with the right tools in hand.
KnowBe4 offers several courses covering proper password practices, which can be used to train your users.
For many of the vulnerabilities, you’ll also want to enforce stricter password requirements in your organization. We strongly recommend increasing your password complexity requirements and setting a rule to ensure passwords expire on a regular basis.
While we cannot advise you on the specifics of how to remedy all of the password vulnerabilities in your organization, we can point you in the direction of some great resources that can help.
2) Can I see what the weak and breached passwords are?
No. The passwords are hashed and cannot be displayed.
3) Can I run this test if I'm using Azure AD?
No. This tool will only work with a local AD.
4) I received an error message and my test did not run. What do I do?
If you received an error and could not complete the test, check the chart below to analyze what the issue may be:
|The Active Directory account you are attempting to run the test with does not have Replicating Directory Changes Permissions.||The account you are using for the test does not have the proper permissions. Make sure you've created an account with Replicating Directory Changes AND Replicating Directory Changes - All Permissions. See above.|
|Test was unable to run due to invalid user name and/or password. Please check your credentials and try the test again.||We were unable to connect to your AD using the credentials you provided. Make sure your user name and password are correct and try to run the test again.|
|Server is unavailable. Please check your Domain DNS Name and try the test again.||This means your Domain DNS name is incorrect, or incorrectly formatted. Make sure you use the format of domain.com or domain.local and attempt to run the test again.|
|Server is unavailable. Please check your Domain Controller and try the test again.||This means your Domain Controller IP is incorrect, or incorrectly formatted. Double check the IP and attempt to run the test again.|
|The license validation failed.||This is likely to mean one of two things:
a) either the license key you are using is invalid, or b) you are attempting to validate the license key through a proxy and it is failing as a result of that. If the error is due to a proxy, simply allow connections to the following domains in your proxy settings to allow the validation of your license key to occur:
Absolutely. If you want to run the test again, just click the Rerun Test button, below the Risk Distribution pie chart. Be sure to download a PDF or Excel sheet of your current results before running a new test.
Our Weak Passwords dictionary (weakpasswords.txt) file contains over 11 million weak and/or compromised passwords from past data breaches. The file is located in C:\ProgramData\KnowBe4\Password Exposure Test\Dictionaries and is compared against the passwords in your AD during the PET.
Hackers use similar dictionaries to attempt to crack your organization’s passwords. This type of weak password is only one of the vulnerabilities we are looking for, however. The Password Exposure Test analyzes 12 variations of password vulnerabilities.
7) Where do you get your breach data from? Can I see it?
The breached data shown in Password Exposure Test is obtained through researching publicly-available breach information. For privacy and security purposes, the Password Exposure Test database is proprietary information. Additionally, KnowBe4 partners with Spycloud.com to search past breaches. Spycloud is a well-respected online resource which specializes in allowing users to search for their email address to see if their information has been made available in past data breaches.
8) My anti-virus flagged this as dangerous. Is it?
No, it is not dangerous. The Password Exposure Test’s behavior could mimic that of a password-cracking tool used by hackers, which is why your antivirus may have flagged it as potentially dangerous.
9) Are any log files generated during the test?
Yes. A log file is created when you run the Password Exposure Test. The file can be found under C:\ProgramData\KnowBe4\Password Exposure Test\DebugLogs.