๐ ๐๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ถ๐ฒ๐น๐ฑ โ Real-World Findings from Security Assessments
๐ฅ ๐ฑ๐ณ.๐ญ%ย of infrastructures I’ve assessedย have ๐๐ฒ๐ฎ๐ธ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ ๐ฝ๐ผ๐น๐ถ๐ฐ๐ถ๐ฒ๐ ๐ณ๐ผ๐ฟ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐๐.
Longer passwords for service accounts โ yes or no?
๐ฆ๐ต๐ผ๐ฟ๐ ๐ฎ๐ป๐๐๐ฒ๐ฟ: ๐ฌ๐ฒ๐. But more importantly โ knowย ๐ช๐๐ฌ.
๐จ Many orgs still use basic domain user accounts for services. That’s a bad idea.
๐ช๐ต๐?
Those accounts are stored in the Windows registry (๐ฐ๐ฎ๐ป ๐ฏ๐ฒ ๐ฒ๐ ๐๐ฟ๐ฎ๐ฐ๐๐ฒ๐ฑ ๐ถ๐ป ๐ฝ๐น๐ฎ๐ถ๐ป๐๐ฒ๐ ๐). They’re exposed to plaintext credential extraction โ password length doesn’t matter in that case.
So why use long passwords at all? Because ofย ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ฎ๐๐๐ถ๐ป๐ด.
๐๐ป๐ ๐๐๐ฒ๐ฟ in the domain can request Service Tickets (TGS) for accounts with anย SPN. The domain controller doesn’t verify who’s asking.
โThose TGS ticketsย are encrypted with the ๐ธ๐ฒ๐ ๐ฑ๐ฒ๐ฟ๐ถ๐๐ฒ๐ฑ ๐ณ๐ฟ๐ผ๐บ ๐๐ต๐ฒ ๐๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฎ๐ฐ๐ฐ๐ผ๐๐ป๐’๐ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ.
Weak password = fast offline crack = attacker gets creds.
๐ ๏ธย ๐ช๐ต๐ฎ๐ ๐๐ผ๐ ๐๐ต๐ผ๐๐น๐ฑ ๐ฑ๐ผ:
โช๏ธ Create a custom Fine-Grained Password Policy (๐๐๐ฃ๐ฃ) for service accounts.
โช๏ธ Ideally use better service account options:
โถ๏ธ ๐ ๐ฆ๐ / ๐๐ ๐ฆ๐ / VSA (Managed or virtual accounts)
โช๏ธ If needed, implementย ๐๐๐๐ต๐ฒ๐ป๐๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐ฃ๐ผ๐น๐ถ๐ฐ๐ถ๐ฒ๐ย to restrict who can request TGS for sensitive accounts.
๐ก Most people talk about Kerberoasting, few talk about why long passwords still matter โ even when plaintext risk exists.
Now you know.ย ๐ ๐ฎ๐ธ๐ฒ ๐๐ผ๐๐ฟ ๐ถ๐ป๐ณ๐ฟ๐ฎ ๐๐ฎ๐ณ๐ฒ๐ฟ.
