Password security is a critical issue, and the recent story of a UK-based security firm, Reliance Cyber, highlights the dangers of poor password management. The firm's head of reactive consulting services, Rob Anderson, shares a tale of a company that stored passwords in Active Directory description fields, making them easily accessible to hackers.
The company's security lapse was a result of their developers creating service accounts without a proper password vault. Instead, they stored the passwords in the description field of Active Directory, believing it would make it easier for team members to find what they needed. However, this decision proved to be a costly mistake.
Anderson emphasizes the importance of understanding the accessibility of Active Directory fields. He states, 'People don't realize that as soon as you've got an Active Directory user — just an ordinary user — you can read the comments field or the description field across the whole of Active Directory.' This lack of awareness led to a hacker gaining access to the company's network through a phishing campaign and using the offensive hacking tool Sliver. The hacker captured the victim's credentials and queried Active Directory, finding a treasure trove of passwords with full domain access.
The consequences were severe. The hackers deleted backups and executed ransomware, putting 2000+ users out of action. The company was taken offline for months, causing significant disruption. Anderson's story serves as a stark reminder that passwords should never be stored in cleartext in easily accessible locations.
He also mentions the risk of untrustworthy colleagues selling passwords to threat actors. A recent survey found that one in eight workers think selling company logins can be justified, further emphasizing the potential dangers. Anderson advises, 'Trust no one.'
The article concludes by highlighting the importance of secure password management and the need for developers to be more cautious about where they store credentials. It serves as a warning to organizations to take password security seriously and to avoid the pitfalls of poor password practices.
