One of the security controls that ControlsInsight checks for is password uniqueness. What exactly is it checking? Does this mean that ControlsInsight knows my password? Why is password uniqueness important?

All Windows desktops ship with a Local Administrator account. Windows creates a hash of each user's password and stores it locally; ControlsInsight is checking the uniqueness of the Local Administrator's Windows NT password by looking at its hash. A hash is a fixed-size number that appears random based on the input (in this case the password). Hash functions only work in one direction, so someone who knows a password can calculate its password hash, but the reverse is not true: someone who knows only the hash cannot calculate the password from it.

Today ControlsInsight obtains all its information from Nexpose scans. After a scan, Nexpose stores all the NT hashes in its local database with the rest of the scan results. ControlsInsight looks at all the hashes for a site and determines which are unique and which are shared by at least one other user in the same Nexpose site. Multiple computers on a site with the same password are flagged as a vulnerability.

Why is it important that each computer have a unique password?  One reason is that Windows does not salt its password hashes. It is possible for a hash to be "salted", which means the hash would be created from the password plus something else, perhaps the GUID of the machine. This lack of salting means that a malicious user who has a password hash and already knows which password converts to that hash has now learned the password. There are tables online that map hashes to passwords for this purpose.

There are other ways a malicious user could learn one user's password. Approximately 30% of attacks involve some form of social engineering, for instance calling a user and pretending to be IT in order to trick the user into revealing their password. In an environment where many desktops have the same password, learning one password grants access to many machines.

ControlsInsight manages this risk by ensuring that each computer has a unique administrator password, so that an attacker who gains access to one machine cannot leverage that access to log into numerous other computers.