This afternoon, while working with a colleague, I was alerted to a customer that appears to have the same 6-character password set for every user, which honestly, I feel like violates the very notion of a password. They’re not currently in Office 365 (or even Active Directory), but the risk is the same:
Users tend to use the same passwords everywhere.
So, if they’ve used that password for their email at work, they probably use it for their bank or email at home. And, if you have hundreds of people sharing the same password with their own accounts, it becomes even scarier.
If you haven’t gotten the willies yet, wait until you find out it’s a public sector customer. The scariest part of public sector customers is that, typically, all of the email addresses are normally public.
If you’ve been reading my blog for any length of time, you’ll probably have seen some tools floating around. One that I put together last year queried the HaveIBeenPwned database using your Active Directory and Office 365 user accounts. Since this customer had neither, I decided to update it so you could just put in a text file list of addresses to query. Use the -ImportUsers <filename> parameter to specify it, and you’re off to the races!
Good thing I’ve got MFA turned on everywhere, because it looks like I trusted some companies I shouldn’t have trusted.
You can get the updated script at http://aka.ms/pwncheck. Happy hunting!