Even after you implement policy compliance checks to enforce best practices for strong passwords, your users can still create insecure passwords. They may not be able to create passwords with eight or fewer characters or with only alphabetical characters. But as long as their passwords conform to the policies you implement, your users can create passwords that match their user name or company name. And those passwords are among the easiest to guess.
To prevent this type of password vulnerability, your policy compliance scans need to check the actual passwords of your users, not just the rules governing the passwords they can create. Three of these password auditing checks are now available in QualysGuard 6.15 Update:
- CID 3893 – Empty passwords
This control identifies user accounts with empty passwords.
- CID 3894 – Password matches user name
This control identifies passwords that match the actual user name or the user name in upper- or lower-case.
- CID 3895 – Password matches an entry in the password dictionary
This control identifies user accounts where the password is equal to an entry in the user-defined password dictionary.
To access your passwords, the scanning engine uses a dissolvable agent on Windows systems to collect user password information from target hosts. The dissolvable agent securely sends the passwords to the scanner for analysis and securely erases its copy of passwords after it completes the tests.
Using Password Auditing
Enable Password Auditing
Password Auditing is not enabled in compliance scans by default. To use this feature, create or edit a compliance profile with the following settin:
- Enable Password Auditing controls
Figure 1: Compliance Profile : Enable Password Auditing
- Accept the dissolvable agent
Figure 2: Compliance Profile : Accept Dissolvable Agent
- Configure a password dictionary.
Figure 3: Compliance Profile : Configure Custom Dictionary
Run Compliance Scan
Launch or schedule a compliance scan on the hosts that you want to scan for password auditing controls. Select a compliance profile with Password Auditing enabled, and optionally a password dictionary defined.
Add Password Auditing Controls to Policy
Add the three new password auditing controls (Control IDs 3893, 3894 and 3895) to a new or existing compliance policy. These controls are supported for Windows and Unix technologies.
Run Compliance Report
Generate compliance reports to compare the data gathered on your hosts during your compliance scan to the expected values defined in your compliance policy. Each user account that violates a Password Auditing control appears in the Actual field of your report.
Figure 4: Compliance Report with Password Auditing controls
Demo and Technical Paper
To see a demo of these steps, please view the Password Auditing Demo.
For full technical details on Password Auditing, please download the QualysGuard Tips and Techniques, Policy Compliance: Password Auditing Document.