Skip to content

Hide Navigation Hide TOC

Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485)

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

  • Use Group Policy Management Console (GPMC) to configure:
    • Minimum password length (e.g., 12+ characters).
    • Password complexity requirements.
    • Password history (e.g., disallow last 24 passwords).
    • Account lockout duration and thresholds.

Linux Systems:

  • Configure Pluggable Authentication Modules (PAM):
  • Use pam_pwquality to enforce complexity and length requirements.
  • Implement pam_tally2 or pam_faillock for account lockouts.
  • Use pwunconv to disable password reuse.

Password Managers:

  • Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

  • Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

  • Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

Tools for Implementation

Windows:

  • Group Policy Management Console (GPMC): Enforce password policies.
  • Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

  • PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules.
  • Lynis: Audit password policies and system configurations.

Cross-Platform:

  • Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords.
  • Have I Been Pwned API: Prevent the use of breached passwords.
  • NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.
Cluster A Galaxy A Cluster B Galaxy B Level
Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Software Deployment Tools - T1072 (92a78814-b191-47ca-909c-1ccfe3777414) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 1
Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 1
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 1
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 1
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 1
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 1
AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 1
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern Password Policies - M1027 (90c218c3-fbf8-4830-98a7-e8cfb7eaa485) Course of Action 1
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Patch System Image - T1601.001 (d245808a-7086-4310-984a-a84aaaa43f8f) Attack Pattern 2
Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Modify System Image - T1601 (ae7f3575-0a5e-427e-991b-fe03ad44c754) Attack Pattern Downgrade System Image - T1601.002 (fc74ba38-dc98-461f-8611-b3dbf9978e3d) Attack Pattern 2
Network Boundary Bridging - T1599 (b8017880-4b1e-42de-ad10-ae7ac6705166) Attack Pattern Network Address Translation Traversal - T1599.001 (4ffc1794-ec3b-45be-9e52-42dbcb2af2de) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 2
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Reversible Encryption - T1556.005 (d50955c2-272d-4ac8-95da-10c29dda1c48) Attack Pattern Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Credential Stuffing - T1110.004 (b2d03cea-aec1-45ca-9744-9ee583c1e1cc) Attack Pattern 2
SSH Hijacking - T1563.001 (4d2a5b3e-340d-4600-9123-309dd63c9bf8) Attack Pattern Remote Service Session Hijacking - T1563 (5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Default Accounts - T1078.001 (6151cbea-819b-455a-9fa6-99a1cc58797d) Attack Pattern 2