How do you know your users aren’t using easy to guess passwords? You rely on your Operating system/Active Directory password complexity requirements. You force users to create passwords with Upper case, lower case, number and maybe even a special characters. You can even make the minimum number of characters be 8 or 9 or even more.
This is not enough. Look at this password, you may even have used it:
ZAQ!1qaz
This password complies with all the requirements I mention above. Take a moment and look and your keyboard and how easy it would be to type that password in. You hold down Shift key and go up the keys on the far left, then let go of shift and go back down. This is called a keyboard combination, and you can imagine there are many. Just go down your keyboard and you can find many possible easy to remember or type in passwords.
Problem with this is you can also create a pretty good password file to then crack passwords. If you audit your domain passwords you might use pwdump or fgdump to extract the hash from your domain controller or even local computer. Then with the hashes you can run them through john the ripper and use a dictionary file with these password combinations. Just like that you can catch users that put this bad habit in practice. So it would seem our initial control of AD password complexity is not fully working.
This is where a program like PPE, password policy enforcer can help you out. PPE gives you the ability to put a dictionary file in the AD complexity rules. In addition to complexity requirements, you can force users to not create passwords that exist in a dictionary file of your choice. This way the next time you crack passwords, theoretically you should crack 0 passwords, if you are using the same dictionary file.
There are additional security measures such as multi factor authentication, biometrics, etc, but this is a good start.
