As last Thursday was World Password Day, it seemed like the ideal opportunity to blog about the cyber security nightmare that is passwords.
Passwords pose a huge security problem for the following reasons:
- Passwords are “something you know”; however, it’s only a password attack away from being “something someone else knows”
- Passwords are regularly leaked and readily available on the Dark Web
- Users will often reuse their password, meaning that compromised credentials potentially give a threat actor access to multiple systems
- Passwords can be easily brute forced or attacked in other ways (more on that below)
- Strong passwords are difficult to remember, and often lead to users storing their passwords in human readable formats such as text files, post-it notes, etc
- Passwords can be easily phished. It’s much easier for a threat actor to ask you for your credentials than guess them
- Users regularly forget their password and need it to be reset, increasing administrative overheads
For many years, a strong password was sufficient to protect a user’s on-premises identity, provided the user didn’t share their password. As resources moved to the Cloud or were made public facing (Outlook Web Access, SharePoint, etc), users have found their accounts are subject to password-based attacks.
Password-based cyber attacks
Let’s take a closer look at the most common types of password-based attacks:
- Brute force: This is one of the most common and easiest attack methods for the threat actor to perform. The attacker will use a program to log in to the users account using an extensive password list. This list will start with the most likely to succeed and then move on to systematically trying to guess.
- Dictionary Attack: This uses a dictionary list containing the most common passwords. These are often taken from prior data breaches. The dictionary attack will also attempt variations of these passwords by adding numbers or substituting common characters.
- Keyloggers: A keylogger is a program that is installed on the user’s device and records all keystrokes (and in some cases screen captures). This data is then uploaded to the threat actor to review and use in a later attack. Keyloggers are often deployed by means of malware masquerading as an attachment or legitimate application.
- Credential Stuffing: Most password attacks require the attacker to know your username, so they only need to guess the password to have a compromised set of credentials. The username can be easy to obtain or guess using other methods such as social engineering. Credential stuffing uses a list of previously leaked credentials in combinations with various accounts until they succeed in getting a match. These lists are easily purchased on the Dark Web.
- Password Spraying: This attack utilises the most used passwords against masses of accounts. If even one user is using one of these weak passwords, then the organisation may be at risk. Brute force tends to use one account as the target, whereas password spraying targets accounts in their masses. An attacker leverages this against account lockout.
- Rainbow Table: Passwords are commonly stored in a hashed format. Hashing uses an algorithm to convert the password into a format that cannot be read by a human. A rainbow table is a list containing pre-calculated hashes of common passwords.
As you can see, password attacks range from quick and easy to complex, depending on the target and the attacker’s ROI. The constant improvements to password attacking software and the hardware required to run the attack are improving daily. As an example, using a GPU-based brute force attack an 8-character password can be cracked in minutes.
Implementing an account lockout policy is effective at deterring – or at least slowing – an adversary’s attack. However, this also means anyone can lockout a user’s account. This in turn leads to increased administrative overhead, as users will be constantly requesting the IT Department either unlock their account or reset their password.
One way to combat this is to use Microsoft Self-Service Password Reset. This allows a user to securely reset their own password by using another factor of authentication to prove their identity. This saves the helpdesk time and is also a more secure way to reset their password.
Unfortunately, it is becoming commonplace for high-profile credential breaches to be leaked on the Dark Web many months before they become public knowledge. This gives an attacker plenty of time to potentially use your credentials.
A user may have a strong, long, complex password that they can remember, which is good news. However, if they then use this same password for all their credentials, then one correct guess or password leak means the attacker potentially has access to multiple systems. This reuse of passwords is also an issue if the user assumes sufficient time has passed that it is safe to use a previously used strong password. Due to the nature of the web, leaked passwords never expire. As new passwords are leaked daily, they are added to an ever-growing known password database.
As we all know, phishing is the number one way to surface a user’s credentials. This attack vector generally represents the attacker’s best ROI. They can send many phishing emails or SMS messages and even if a small percentage are successful, then they can use these credentials as part of a larger attack. Why bother trying to crack a user’s password when you can just coerce them into giving you their credentials?!
Even when a user has successfully created a strong, long, complex password, they often can’t remember what it is. Therefore, they will record the password in a human readable format. This completely defeats the benefits of using a strong password!
Consider additional authentication
So, we’ve established that passwords are a problem for many reasons, but what can we do about this? Well, first we need to understand what other choices we have. Passwords represent one of many types of authentication.
There are 3 main types of authentications:
- Something you know: This factor is something you recall from memory that ideally no one else should know. This is generally a password but can also be PIN or the answer to a question, for example.
- Something you have: This is something you physically have to offer up as an authentication mechanism, such as a hardware token, smart card, or a FIDO key. These hardware token codes are refreshed constantly and expire after the first use. Using products such as Microsoft Azure Conditional Access we can also enforce the use of device compliance, ensuring only permitted devices can access an organisation’s data.
- Something you are: This is a way of using parts of your body as a biometric authentication. This can be achieved by using a fingerprint, retina, iris, voice, or face for example.
There are also 2 other, lesser-known authentication types:
- Something you do: This type of authentication proves identities by observing actions, such as gestures or touches. A picture password for example allows a user to draw around certain elements in the picture in a certain order that only they would know how to achieve.
- Somewhere you are: This allows a user to authenticate based on their location. This could be by using an IP address geotag or a MAC address connected to a switch port for example.
Passwords should be replaced as soon as possible by other factors of authentication such as “something you have” or “something you are”, or better still, a combination of multiple factors. Many people believe that MFA (Multi-Factor Authentication) means exclusively using an MFA authenticator application, such as the Microsoft or Google authenticator applications. However, the term simply refers to using more than one factor of authentication. You will often see 2 factors of authentication referred to as 2FA, or 3 as 3FA, etc.
My recommendation here would be to use as many factors as possible to prevent credential-based attacks. Starting from the top and the most impactful, users should be registering for and using an authenticator application wherever possible. Microsoft claim that using their Azure MFA authenticator application in combination with a strong password prevents over 99% of account-based attacks. Implementing Azure MFA is so simple that there is no reason not to use it.
What else can I do?
Next up, if your devices support it then Windows Hello should be activated. This authentication mechanism uses biometrics in combination with a hardware-based PIN, should the biometric authentication fail. Many people believe that the PIN (which can be 4 or more characters) is less secure than a password. This is a common misconception.
If a password is compromised, then it can potentially be used against multiple resources from multiple locations. However, if someone were to shoulder surf a user and compromise their PIN then it does not matter unless they also steal their device. The PIN cannot be used as a method of authentication in isolation, and it only works with the device on which the PIN was set.
Lastly, if you know that your users should only access resources from specific locations on specific devices then enforce this control. For example, you may say that read-write permissions over corporate resources should only be allowed to corporate-issued devices that are domain/hybrid joined, with an up-to-date OS, an EDR application installed, and from inside the organisation’s perimeter.
Products such as Microsoft’s Azure Conditional Access allows even more granular controls when used in combination with Microsoft Cloud App Security. You could, for example, state that a Bring Your Own Device (BYOD) that successfully authenticates can only have a read-only view of your organisations data and prevent downloads.
I know that moving to other authentication factors is a journey and not performed overnight. Therefore, I’d like to offer the following advice when using passwords:
- Do not recycle passwords. Use a unique password for each login you have. You can see above how recycled passwords can be used in credential stuffing and other password attacks.
- Never share your password with anyone. There should never be a legitimate reason for someone else to know your password.
- If you feel your password may have been compromised, then change your password straight away and inform your IT department.
- Try to use passphrases instead of passwords such as “1PurpleMonkeyDishwasher!”. The length of the passphrase makes cracking it substantially harder for an attacker, especially when using random words. Passphrases are substantially easier to remember than complex passwords.
- Use a strong, complex, randomly generated password of at least 14 characters (20 characters ideally).
- Using character substitution rarely deters an attack and makes remembering your password more difficult. For example, an attacker knows that replacing the letter “i” with an exclamation mark (!) is common and they will account for this.
- Do not use any personal data in your password. This means your pet’s, children’s names, or any other personal information that can be established through social engineering.
- Do not use dictionary words unless it is as part of a random passphrase.
- If you cannot use a passphrase and are struggling to remember your complexed password, then consider using a password manager such as LastPass.
- Never store your password in human readable formats. This means in text files, post-it notes, etc.
For more information on the technologies, I have discussed above, please see the following:
I hope you’ve found this blog useful, but if you only take away one piece of information; please ensure you use MFA wherever possible!
Transparity are offering complimentary Remote Working workshops, designed to help businesses at all stages of their digital transformation journey. Just click below and one of our experts will get in touch to discuss your available options.