Filter Frenzy: Towards Assessing Active Directory Filters
Authors
Juncker, Jonathan Hartvigsen ; Møller, Mads Lykkeberg
Term
4. semester
Education
Publication year
2024
Submitted on
2024-05-31
Pages
94
Abstract
Adgangskoder er fortsat den mest udbredte måde at styre adgangen til it-systemer på. Mange organisationer bruger Microsofts Active Directory, et system til at administrere brugere og rettigheder. For at hjælpe brugere med at vælge bedre adgangskoder bruges 'adgangskodefiltre', der afviser svage adgangskoder, når de oprettes. I mange år kom de fleste filtre til Active Directory fra tredjepart, men Microsoft har nu lanceret sit eget: Microsoft Entra Password Protection. Dette speciale undersøger, om sådanne filtre faktisk forbedrer adgangskodesikkerheden, og hvordan Microsofts filter klarer sig i forhold til tredjepartsløsninger. Vi giver et omfattende overblik over forskning i adgangskodepolitikker (regler om længde og kompleksitet), adgangskodestyrke og angreb med adgangskodegætning (metoder, hvor angribere prøver sandsynlige adgangskoder). Derudover præsenterer vi en ny metode til at vurdere, hvor effektive Active Directory-adgangskodefiltre er. Vores evaluering tester tre forskellige filtre med cirka 88 millioner adgangskoder, state-of-the-art styrkemålere for adgangskoder (værktøjer, der vurderer, hvor svær en adgangskode er at gætte) og flere typer angreb med adgangskodegætning.
Passwords remain the most common way to control access to systems. Many organizations rely on Microsoft Active Directory, a system for managing user accounts and permissions. To help block weak choices, 'password filters' check new passwords and reject those considered easy to guess. For years most Active Directory filters were made by third parties, but Microsoft now offers its own: Microsoft Entra Password Protection. This thesis asks whether such filters truly improve password security and how Microsoft's filter compares with third-party options. We provide an extensive review of research on password policies (rules about length and complexity), password strength, and password guessing attacks (methods attackers use to try likely passwords). We also introduce a new method for evaluating how well Active Directory password filters work. Our evaluation tests three different filters using about 88 million passwords, state-of-the-art password strength meters (tools that estimate how hard a password is to guess), and several types of password guessing attacks.
[This summary has been rewritten with the help of AI based on the project's original abstract]
Documents