KnowBe4 Releases Weak Password Test Tool

On the heels of Verizon’s 2017 Data Breach Investigations Report, IT security company KnowBe4 released Weak Password Test (WPT), a free tool for organizations that use Active Directory. As the fastest growing security awareness training and simulated phishing company, KnowBe4 found this was an area where companies needed help. The Verizon report, which KnowBe4 participated in, showed 81 percent of hacking-related data breaches leveraged either stolen and/or weak passwords. Weak Password Test.png

According to KnowBe4 CEO Stu Sjouwerman, “KnowBe4’s release of Weak Password Test furthers our mission to empower IT pros with proactive tools to detect threats and educate their users to have security top of mind. Our customers use KnowBe4’s new-school security awareness to reduce their organizations phish-prone percentage, and now they can also mitigate both user- and implementation-related password management weaknesses. Using a weak password is an open-door invitation to cybercriminals. Weak Password Test makes it quick and easy to identify weak passwords so IT managers can take effective action fast.”

WPT checks Active Directory for multiple types of threats related to weak passwords. The tool can be connected to Active Directory to locally analyze for the following vulnerabilities in just a few minutes:

  • Weak Passwords – including the most common passwords and dictionary passwords
  • Duplicate Passwords – passwords shared among multiple accounts
  • Empty Password – accounts that have blank passwords
  • Password Never Expires – accounts with no requirement to change the password
  • Password Not Required – accounts that could be set to a blank password
  • LM Hash Password – accounts that store passwords using a LAN Manager hash, which is susceptible to brute force attacks
  • AES Keys Missing – accounts set up using older functional AD levels and as such have no AES keys, these will use weaker encryption methods
  • Kerberos DES-Only – accounts setup using the older and since retired DES encryption mechanism
  • Pre-Authentication Missing – accounts that do not encrypt authentication requests, giving the attacker the ability to perform offline brute force attacks which are less likely to be detected

By using WPT, IT managers will know if their password management fails in any of these areas so that they can take action. Depending upon the failures this may involve user training or technical controls being put into place.

Perry Carpenter, KnowBe4’s Chief Evangelist and Strategy Officer, added: “Weak Password Test demonstrates our commitment to provide organizations with tools aimed at strengthening their security and risk posture by detecting behavior-based threats caused by human error. New- school security awareness is all about the intersection of behavior and training. I love the WPT because it advances that vision by giving organizations insight into the password-management practices of their employees. Savvy security awareness program managers can then take this insight and tailor training to match the behavior patterns that are reported.”

To keep security tight, the tool does not show/report on the actual passwords of accounts, it simply reports on the accounts that are affected by the aforementioned vulnerabilities.

For more information, or to download the no-charge Weak Password Test, visit www.knowbe4.com