Skip to main content

Back to Blog

Findings on Exposed Passwords in Active Directory

While large-scale reports cover broad trends in attack patterns, Enzoic’s State of Authentication Security Survey of around just under 500 companies using Active Directory (AD) focused on the real impact of compromised credentials in businesses cross-industry.

We found that when it comes to current authentication practices, usernames and passwords are still the most prevalent authentication methods for organizations. Nearly 70% of organizations still rely on username and password combinations for their employees. This isn’t particularly surprising, but it emphasizes the fact that password security is a top priority due to just how ubiquitous it is.

Active Directory Password Expiration

Additional results from our Active Directory survey showed a need for more engagement and contemporary knowledge around password management and security awareness. Most organizations still follow older password policies. For example, 74% of enterprises continue to require forced password resets for employees and contractors every 90 days or less, creating a burden for employees and generating higher costs for the employer. If organizations more closely followed modern password policy standards and guidelines, they would find that most security experts no longer recommend password expiration policies. In fact, NIST password guidelines specifically call for the end of periodic password resets.

However, these updated guidelines can be challenging to follow and with all the different security advice available, it is hard for many understaffed security teams to keep up. As things currently stand, organizations are still learning about the updated NIST password guidelines for authentication. 54% knew about it less than a year ago and 33% are still unaware of the updated password recommendations.

AD Password Data from Enzoic

Looking deeper into our 2023 Active Directory Password Usage data, we found 1.2 million user accounts were actively using compromised or weak passwords. This number is an astonishing 15% of the approximately 8+ million Enzoic Active Directory Lite (otherwise known as Enzoic AD Lite) accounts that were scanned.

One notable trend is the persistent increase in users with duplicate passwords, at nearly 30% of all users monitored. This may be attributed to administrative oversight, such as setting a default password without enforcing a change. Such practices can create significant security gaps, increasing the chances of account compromise and lateral movement in an environment.

Another concerning observation is that roughly 10% of the users we scanned in 2023 had expired passwords. Expired passwords point to a gap in enforcing organizational policies. This indicates that organizations are still enforcing periodic password reset, otherwise known as password rotation policies, on their employees and users in Active Directory, but may not enforcing it.

In the same vein, last year, Enzoic introduced the tracking of stale accounts and uncovered over 1.1 million such accounts. Stale accounts are accounts that haven’t been logged into in a long time. They could be an account from a user who no longer works there that was never deactivated or it could be some account that was created and forgotten about for some other reason. These inactive but potentially exploitable user accounts increase an organization’s attack surface. They represent a hidden danger, as former employees or contractors may be able to access them. These stale accounts also lack user interaction for password changes in response to compromise or policy updates. Our data aligns with Microsoft’s data which states that over 10% of Active Directory accounts are stale. Stale accounts need to be investigated and then deprovisioned if not active. Otherwise, these credentials are ripe for leverage in a cyberattack.

These findings are a reminder of the ongoing battle against data breaches and the need for organizations to monitor passwords in their environment for continual compromise..

Active Directory Lacks Exposed Password Data

Many IT professionals without large security teams rely heavily on built-in security features without knowing the full coverage of these security features. For example, Microsoft’s Azure Active Directory AD Password Protection, now rebranded as Microsoft Entra ID, ostensibly prevents the use of so-called bad passwords (read: weak but not compromised) that are easy for hackers to guess. As we know, avoiding the use of common and compromised passwords is essential for any strong cybersecurity strategy; however, Entra ID has significant security gaps.

According to Microsoft, Entra ID works by detecting and blocking known weak passwords and their variants, as well as other common terms specific to your organization. They also include “custom banned password lists’ in their blocking capabilities. In an ideal world, a simple tool like this would be more than enough to prevent users from selecting passwords that undermine your system security. Unfortunately, cybersecurity best practices are just not this simple.

The absence of Dark Web data usage in Microsoft Entra IDs security measures poses a considerable risk to businesses by not adequately protecting against compromised credentials, a much larger threat vector than just weak passwords. Entra ID is undoubtedly in line with compliance language, but it currently does not include the most impactful data set of compromised and exposed credentials. A strong password policy requires filtering out exposed or compromised passwords. Built-in Active Directory protections are not enough.

Why Does Password Security & Exposed Passwords in Active Directory Still Matter?

Weak and compromised passwords lead to data breaches.  According to a GoodFirms survey of IT professionals, 30% of respondents experienced a data breach because of a weak password.

The Enzoic State of Authentication Security Survey revealed that also unsurprisingly, unauthorized access to systems impacts businesses significantly. A breach can cause:

  • reallocation of IT resources for incident response and remediation (28%),
  • system or service downtime (26%),
  • increased helpdesk workload (24%),
  • and data breaches or leakage (22%),

All of these factors result in significant financial loss and an additional IT workload for businesses.

Appropriate tools can effectively address data breaches sourced from weak and compromised passwords. The top Active Directory tools are automated and provide ongoing scanning for weak and compromised passwords, minimizing the IT team’s workload.

To discover more about how these tools can assist your organization in thwarting the utilization of weak or exposed passwords, visit