Using PasswordIQ

Share

Is this article helpful?

Last updated:

Resolve Password Vulnerabilities

PasswordIQ scans the users in your Active Directory for 11 types of password vulnerabilities. After you receive your scan results, you can work with your users to resolve the password vulnerabilities that PasswordIQ detects. To learn how to view your scan results, see our How to Use Your PasswordIQ Dashboard article.

To learn how you can resolve your users' password vulnerabilities, see the sections below. For general information about PasswordIQ, see our PasswordIQ Product Manual.

Important:Because your organization may have unique security needs, we can't recommend what changes to make to your Group Policy and Active Directory settings. However, the sections below provide instructions that can help you find the settings that are related to your users' password vulnerabilities.

Weak Password

When PasswordIQ detects a weak password, see our recommendations for resolving this vulnerability below:

  1. Notify the user that their current password is a weak password.
  2. Ask the user to change their password.
  3. Provide training that teaches the user how to create strong passwords. KnowBe4 offers training modules in the ModStore that you can assign to your users, including Creating Strong Passwords- Security Awareness Training, How to Create Strong Passwords with Quiz, and Password Security. For more information about ModStore training content, see our ModStore and Library Guide article.

Shared Password

If PasswordIQ detects a shared password, see our recommendations for resolving this vulnerability below:

  1. Notify the user that their current password is a shared password.
  2. Ask the user to change their password for all accounts that they use that password for.
  3. Provide training that teaches the user how to create unique passwords. KnowBe4 offers training modules in the ModStore that you can assign to your users, including Creating Strong Passwords- Security Awareness Training, How to Create Strong Passwords with Quiz, and Password Security. For more information about ModStore training content, see our ModStore and Library Guide article.

Clear Text Password

If PasswordIQ detects a clear text password for one user or a group of users, the reversible encryption setting may be enabled for their accounts.

To find this setting, follow the steps below:

  1. Open the Active Directory.
  2. Navigate to the user's account properties.
  3. Select the Account tab.
  4. In the Account options section, find the Store password using reversible encryption setting. Make sure this option is not selected.
  5. Alert your users to change their passwords.

If PasswordIQ detects a clear text password for all of your users, the reversible encryption setting may be set in your Group Policy.

To find this setting, follow the steps below:

  1. Open the Group Policy Management Editor.
  2. Navigate to this path: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy.
  3. Open the Store password using reversible encryption policy. Make sure this policy is disabled.
  4. Force an update for group policies applied by your company.
  5. Alert your users to change their passwords.
Important:When Group Policy settings are disabled, new passwords will be stored using one-way encryption by default. Existing passwords will be stored using reversible encryption until they are changed by users.

If PasswordIQ detects a clear text password, the STORE_CLEARTEXT flag may be enabled for your entire organization.

To determine if this flag is enabled, follow the steps below:

  1. From your domain controller, open the Active Directory Users and Computers (ADUC).
  2. Right-click the domain name and select Properties.
  3. Select the Attribute Editor tab and find the pwdProperties attribute. If this attribute contains the STORE_CLEARTEXT flag, the domain is configured to allow clear text passwords. You can disable this setting through the Default Domain Policy or another enforced domain policy.

Empty Password

If PasswordIQ detects an empty password, the Minimum password length setting may be set to 0 in your Group Policy. This setting allows passwords to have zero characters.

To find this setting, follow the steps below:

  1. Open the Group Policy Management Editor
  2. Navigate to this path: Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy.
  3. Open the Minimum password length policy.

DES-Only Encryption

If PasswordIQ detects DES-Only encryption, the DES encryption setting may be enabled for the account.

To find this setting, follow the steps below:

  1. Open Active Directory.
  2. Navigate to the user's account properties.
  3. Select the Account tab.
  4. In the Account options section, find the Use Kerberos DES encryption types for this account setting.
Tip:You can enable Advanced Encryption Standard (AES) encryption as a secure alternative to DES encryption. For more information, see the AES Encryption Is Not Set section below.

Breached Password

If PasswordIQ detects a breached password, see our recommendations for resolving this vulnerability below:

  1. Notify the user that their current password is accessible due to a data breach.
  2. Ask the user to change their password for all accounts that they use that password for.
  3. Assign the latest version of our KnowBe4 Security Awareness Training to the user to prepare them for potential social engineering attacks. Cybercriminals may be more likely to target users who are involved in data breaches.

Password Not Required

If PasswordIQ detects a password that is not required, the PASSWD_NOTREQD flag may be set in the account's userAccountControl attribute. To find this setting, follow the steps below:

  1. Open the Active Directory.
  2. Enable Advanced Features (View > Advanced Features).
  3. Navigate to the user's account properties.
  4. Select the Attribute Editor tab and find the userAccountControl attribute.
Important:The userAccountControl attribute has a decimal value for all the red flags enabled for users. To remove the PASSWD_NOTREQD flag, subtract its decimal value of 32 from the userAccountControl attribute’s decimal value.

Password Never Expires

If PasswordIQ detects a password that never expires for one user or a group of users, the Password never expires setting may be enabled for their accounts.

To find this setting, follow the steps below:

  1. Open the Active Directory.
  2. Navigate to the user's account properties.
  3. Select the Account tab.
  4. In the Account options section, find the Password never expires setting.

If PasswordIQ detects a password that never expires for all of your users, the Maximum password age setting may be set to 0 in your Group Policy.

To find this setting, follow the steps below:

  1. Open the Group Policy Management Editor.
  2. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Security Options.
  3. Open the Maximum password age policy.
  4. Force an update for group policies applied by your company.

You may also want to check if a fine-grained password policy related to maximum password age is applied for a group of users.

To find this setting, follow the steps below:

  1. Open Active Directory Administrative Center.
  2. Navigate to “Domain” \System\Password Settings Container.
  3. Verify if the password policies listed have the option Enforced maximum password age disabled.
Important: PIQ only checks Windows password policies. If your policies are defined and managed by third-party applications, you can disable this vulnerability check in the Optional Vulnerabilities section of Advanced settings.

LM Hash Password

If PasswordIQ detects a LAN Manager(LM) hash password, the LM hash setting may be enabled in your Group Policy.

To find this setting, follow the steps below:

  1. Open the Group Policy Management Editor.
  2. Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
  3. Open the Network Security: Do not store LAN Manager hash value on next password change policy.
  4. Force an update for group policies applied by your company.
  5. Alert your users to change their passwords.

AES Encryption Is Not Set

If PasswordIQ detects that Advanced Encryption Standard (AES) encryption was not set for one user or a group of users, the AES encryption setting may need to be enabled for their accounts.

To find this setting, follow the steps below:

  1. Open the Active Directory.
  2. Navigate to the user's account properties.
  3. Select the Account tab.
  4. In the Account options section, find the This account supports Kerberos AES128 bit encryption setting or the This account supports Kerberos AES256 bit encryption setting. Select the option available to you.

If PasswordIQ detects that AES encryption was not set for all your users, AES encryption types may need to be selected in your Group Policy.

To find this setting, follow the steps below:

  1. Open Group Policy Management Editor.
  2. Navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options.
  3. Open the Network security: Configure types allowed for Kerberos policy. The AES keys are AES128_HMAC_SHA1 and AES256_HMAC_SHA1.
Important: If AES encryption is not supported in your environment, you can disable this vulnerability check in the Optional Vulnerabilities section of Advanced settings.

Missing Pre-Authentication

If PasswordIQ detects missing pre-authentication, the Do not require Kerberos preauthentication setting may be enabled for the account.

To find this setting, follow the steps below:

  1. Open Active Directory.
  2. Navigate to the user's account properties.
  3. Select the Account tab,
  4. In the Account options section, find the Do not require Kerberos preauthentication setting.

Was this article helpful?

5 out of 6 found this helpful

Can't find what you're looking for?

Contact Support