Exclude local networks from exposed passwords report

Please exclude local networks from exposed passwords report; e.g.: 192.168.X.X

Please don’t. If someone gets into your network, you still rather have your applications not be wide open.

local I.P.'s are false positives

They could be in your use case. But things get messy really quickly. For example, if our admin would have a weak password on the Active Directory Server on our internal network, this would really be an issue.

Furthermore, things get messy really quickly if you start thinking in bigger internal networks and cloud integrations. We have a few cloud servers running that are only accessible from inside our LAN. Would these also need te be excluded?

If you’re using a password manager, is there even a reason to use a weak password in your internal network?

It does amaze me seeing the number of WEAK passwords that get used by someone with a password manager. My use scenario leaves me out of the loop on LAN stuff. We connect via a VPN that is configured to block any access to LAN. It won’t work for many of you guys but I configure on the assumption that LAN traffic is a “bad guy” and LAN never gets on our computers. Of course low level router access but no workspace on one of our machines will ever see LAN. And of course since any LAN passwords are set by yours truly the complexity and length are massive. No worries for me that way.

@JurgenG: I initially voted yes but your post convinced me otherwise. Agree, this should not be done, at least not as the default.

My request was not regarding the “Weak Passwords Report”…only the “Exposed Passwords Report”…

Exposed passwords are per definition weak, as they are part of a dictionary attack. There are the first passwords tried out.

I’m in my 50’s so something(s) have changed, but in my world local “domain users” are still considered as trusted, and are thus usually given at least “read” access to majority of local network resources. With that, there are still some applications…usually “web-apps” that require the minimum use of a locally shared, generic, view-only user id and password, e.g., a UI to review locally stored diagnostic results. As far as I know, this is standard practice across most industries. BUT I’m pretty sure the use of reserved LAN-IP addresses on the public Internet is prohibited; so, I don’t believe local IP’s with simple credentials for local use stored within a password manager should be deemed as “exposed”…in my opinion.