After performing penetration tests for a myriad of companies over the last decade, there is one thing that stands out above all others…. People suck at making passwords. At first I thought “how hard can it be?” But after working with company after company, and trying to improve their password security, I have realized that most people just don’t fully understand the risk. If they do, then they are having trouble getting organizational buy-in on a stronger password policy and struggling to teach employees how to choose a strong password. In this blog, we’ll summarize a variety of topics related to password security.
The Risks of Weak Passwords
The risks of weak passwords is pretty simple. If someone guesses or uncovers a user’s password, they have access to whatever that user has access to. This can be email, external corporate portals, or your VPN, which is probably most significant as it provides an attacker with internal network access. To understand how an attacker may get one of these passwords, it is important to understand the difference between an online and offline password attack. Simply put, an online password attack (like me trying to login to your email account over the Internet) is less likely to be successful because I might be detected, I might run into account lockouts, and I am ultimately limited by the speed of the network. An offline password attack doesn’t have any of these limitations, allowing me to attempt up to 30 billion password guesses per second. For more on this, check out this blog.
When an attacker is first trying to target an organization, unless it is a malicious insider, they are likely going to have to start with online password attacks or some type of social engineering. Usually, the most effective type of online password attack is a password spraying attack. To conduct this type of attack, I would go to LinkedIn (for example) and gather a list of all your employees. Then I would try and craft those names into potential usernames and try a common password, say Spring2019, against all of the usernames I collected. This is used to avoid account lockouts, as I am only trying one password per user. Also, this allows me to quickly find the weakest link and gain an initial foothold on your network. To learn more about password spraying attacks, check out this blog or this one. Further, in the case of email with on-premise exchange servers, a Microsoft OWA login interface exposed to the Internet will allow me to enumerate valid user accounts, which helps me narrow down my list of usernames more quickly. Check this blog out for more details on that.
Once an attacker has access to your internal network, say through the VPN or social engineering, there are a lot of methods they can use to get password hashes. One of the most common ways to get a password offline is through NBNS and LLMNR Spoofing. Once these passwords are offline, an attacker can perform a myriad of attacks to try to recover the cleartext password that matches the hash. These attacks include dictionary attacks, rule-based attacks, mask attacks, combinator attacks, and brute force password guessing. Check out this blog for some insight on how a hacker will try and recover your password from a hash. In a typical organization, Triaxiom will recover anywhere from 60-80% of passwords for all user accounts across the domain. Once we have access to the passwords, its usually just a matter of time to either find a domain administrator in our recovered credentials or escalate in some other manner, taking complete control over a network.
The Fix for Password Security
Most of the passwords we find will follow a typical trend. They will be based off a dictionary word with maybe the a’s turned to @’s and a few numbers at the end. Unfortunately, we have also seen a lot of IT management companies following this trend. The root problem here is that user’s don’t know how to choose a strong password, in many cases. They have been taught their whole life that they should be adding complexity, which is really only making the password harder to remember, not harder to guess. Because of this, we spend a lot of time through security awareness training trying to teach people how to choose a strong password. Teaching people how to choose a strong password will in turn reduce an organization’s risk related to the use of weak passwords.
Beyond teaching your employees how to chose a strong password, it is time to boost your corporate password policy. The Center for Internet Security recommends a password length of at least 14 characters. Further, NIST recently published new guidance that user’s shouldn’t have to change their password every 90 days, but rather, organizations should use a passphrase approach which doesn’t require changes as frequently. For more information about the use of a passphrase vs password, check out this blog.
Another thing for you to consider is having a password database audit completed. This is an assessment of the current passwords in your network, providing you with useful data and statistics such as the length of each password, common passwords, and the common base-words passwords are built off of. This can help improve the quality of your security awareness training, help get some organizational buy-in for changes to the password policy, or assist you in implementing a password blacklist. Check out this blog for more information on password database audits.
Finally, and this is a good note to end on, some users will always pick weak passwords no matter what you do. Sure, you can and should try to teach them and in-turn significantly reduce this risk. But at the end of the day, an attacker only needs one. Because of this, multi-factor authentication is one of the most vital security controls in your toolbox. All sensitive login interfaces should have MFA, especially when they are exposed to the Internet (your VPN, email, portal, etc.).