Preventing a Password Compromise
Authored by Zoran Jovic
Password compromise is one of the most serious threats organizations face today. Attackers are attempting to gain access to your credentials 24/7, and tailor many, if not most attacks with the main goal of gaining access to credentials. Once the attacker has a username and a password, they are no longer an outsider. They become an authenticated user with access to systems and applications!
Meet Bob. Bob is a model employee and is an asset to your organization, but also a target for an attacker. We can use Bob to illustrate the threats to passwords and digital identity overall.
Password Compromise Threat:
Password Guessing is an attack where an attacker attempts to guess a password based on an easily guessable word. Bob happens to choose his passwords from a list of words including a local sports team, name of the company, his pet’s name, etc. All an attacker needs to do is visit Bob’s social media page and they will find plenty of clues to guess the password.
Password Spraying is an attack where a single common password is attempted against many users. If the sample of usernames is large enough, it increases the probability that an attacker will find at least one user with a weak password like “Companyname123!”. Because each user account is only attempted once per weak password, an attacker can perform this attack multiple times per day without the risk of locking out accounts.
Password Stuffing is an attack where a previously compromised password is attempted against accounts with the same or similar user. Bob’s online casino account has been a part of a breach, and the credentials Bob used are certainly in attackers’ hands. If he uses the same password convention at work, it could allow an attacker to successfully compromise Bob’s work credentials.
Password cracking, where an attacker gets a hold of the encrypted credentials, commonly known as password hashes. Bob’s password is stored in this “encrypted” form, but the attackers can try to crack the hashes to reveal the cleartext password. An attacker can gain access to password hashes from several sources, including public data breaches, exploiting flaws in web applications that store user credentials, and even forcing authentication attempts from applications like Microsoft Word by tricking users into opening a malicious document.
Credential Harvesting is an attack where phishing emails are used to trick users into providing their credentials in a fake login page. These attacks are often generic in nature and target many users in the hopes that at least one user will be duped by the email message. Even strong, complex passwords can be compromised if the end users do not know how to spot fake logins.
Outdated Recommendations:
Password Complexity and Expiration – To protect Bob from password threats, we used password complexity and length. If Bob’s password is set to “3gu@TT9m07445tH!!n1us”, an attacker will have a challenging time guessing or cracking the password! The only issue is that Bob will never remember this password and will have to change it the very next time he attempts logging in. Bob is likely to choose the same password he has previously used. Potentially, Bob may also use his good ole’ friend, the sticky note, to write the password down and post it at his desk. Even if Bob remembers his passwords, but must change them every few months, he is likely to reuse the password from his other personal accounts.
Password Length – Bob’s password must be at least 8 characters long, because not too long ago it was thought that an 8-character password would take years to crack. Those days are gone… even a budget computer can perform password cracking at blazing speeds. To put it plainly, to crack Bob’s Windows password hash, an attacker with a higher end machine can go through all the words in the English dictionary, including their permutations, in matter of minutes. The point being: 8 characters is not enough.
The final case for password complexity being obsolete is that most effective attacks (and some of the most common ones) completely circumvent the password complexity. Phishing and other forms of social engineering rely on Bob giving up his password freely.
New Recommendations:
NIST and other leading standards bodies have shared new recommendations for passwords and authentication in general. Here is my summary of the recommendations:
Use long phrases – Bobs new password phrase: “2021 will be better than twenty-twenty!”, is extremely easy to remember, but hard to guess for an attacker. Additionally, even with powerful computers it will take an exceptionally long time to crack.
Disallow “bad words” – create a list of words that are forbidden from being used in a password. Name of the town, company, seasons, months, sports teams, etc. should all be barred. Thankfully, there exist resources and tools, often free, that integrate with your digital identity management systems to prevent Bob from choosing his favorite football team as his password.
Prevent personal information used for passwords – It may be hard to stop Bob from using his compromised online casino password. But we can limit the use of personal information in passwords. Bob’s HR file already holds most of this information and it would be easy to stop Bob from using his street name or mother’s maiden name for a password.
Implement a security awareness program – User awareness and training are important, as we cannot address every risk with a technical or operational control. With enough practice, Bob can learn to spot the phishing emails and stop entering his work credentials into a suspicious site!
Implement a secure password manager – To help Bob not have to remember a long and complex password.
Implement multi-factor authentication – Even if Bob makes a mistake and uses an easily guessable password, or types it in a phishing site, 2FA/MFA can limit the attacker’s ability to access resources.
WARNING: Not all MFA solutions are created equal. For example, if a user simply approves a push notification as the second factor, an attacker with their credentials could potentially spam them with login requests until they accept the prompt.
Monitor and Alert – Your security tools can often tell when an attacker is attempting to guess passwords. Bob is in Texas, yet you show multiple attempts to log in from another state or country – a clear indication of password guessing.
Trust but verify – To ensure your controls are working, and Bob is doing his part, periodically audit your password security. A penetration test will test for bad passwords through some form of password guessing. A password audit can determine the risk of an attacker both guessing and cracking your passwords. Phishing assessment will verify the effectiveness of your social engineering awareness program.
Special considerations:
Privileged accounts are the prime target for attackers, and as such should be required to have even more strict rules on all the above, especially password length. If Bob is a network admin, his password should be even longer than a normal user’s password, and he should only use the privileged accounts in situations where it is necessary to use these accounts. Otherwise, Bob should use a non-privileged account on a day-to-day basis.
Services and other non “user” accounts often get left behind. Commonly we find conferencing solutions that have been provisioned with a domain-joined account, whose password was set up 7 years ago, never expires, and is conveniently set to “Conference”, or “Password”, or even “admin”. Some of these services are set up as privileged accounts and may be the prime targets for an attacker. An audit or a pen test can help identify such vulnerabilities.
While it may be hard to expect Bob to never make a mistake, a combination of user awareness training and effective security controls can help minimize the risk of a compromise. Whether you already have implemented mitigating controls, or are just starting on your journey, CLA can help verify and enhance your security posture. Talk to a CLA Advisor here.
https://www.claconnect.com/services/information-security
Kadian currently works with the Information Security Services Group as well as higher education group providing compliance services, outsourcing and co-sourcing engagements and information security assessments.
“Through 20 years of effort, we’ve successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.” -Randall Munroe
Password length is far superior to password complexity!