30% of security breaches are caused by weak passwords. This mirrors what we see during penetration testing, with organisations not taking effective steps to reduce the risk of insecure password practices.
In this article, we’re going to be taking a look at the basics of how passwords work, and how we can manage the risk around their usage.
How does password authentication work?
Typically, passwords are stored in a “hashed” format. This is similar to encryption, but the primary difference being hashed data cannot be decrypted. Hashing takes a variable length input, and converts it to a fixed length output.
For instance, using the NTLM algorithm the password “IRMSecurity” will always result in the hash of; 258135B5A2E45BC9A70E7169B68F189C. The length of the hash will always be 32 characters, irrespective of the length of the input password.
The hash will be stored in a database, such as the SAM database on Windows systems.
When a user logs into their local machine, and inputs the password “IRMSecurity”, the computer converts the password to hashed version and checks to see if this matches the value stored in the SAM database. If this comparison is true, the user must have known the correct password, and they will be successfully authenticated.
A number of attacks can occur where passwords are the only form of authentication to a computer system.
Offline brute force attacks
An offline brute force attack occurs when an attacker has access to a hashed password database.
In a rainbow table attack, the attacker creates a database of a large number of common passwords and their respective password values. So if the attacker gains access to a database containing the hash; 258135B5A2E45BC9A70E7169B68F189C, they could perform a comparison on the precomputed database to determine this is the password “IRMSecurity”.
A password “salt” prevents rainbow attacks. A salt is a value which is appended to a password before hashing. The salt value is typically unique per password database. Since an attacker would not know the salt value before compromising the password database, they would not be able to generate a rainbow table using this value.
Interestingly, Windows password databases (SAM & NTDS) do not implement salt values, and are therefore susceptible to rainbow table attacks.
Tools such as Ophcrack can be used perform this type of attack.
In a dictionary attack, and attacker takes a plaintext wordlist of potential passwords and converts them into their hash equivalent in real time. This may sound inefficient in comparison to precomputing the values using rainbow tables, however there is a trade-off between the amount of disk space used, and the speed of modern computer equipment.
These days, computer graphics cards can be used to significantly speed up the process of cracking passwords. The tool hashcat is typically used for this purpose.
On a moderately priced graphics card, 54033 Million password guesses can be performed a second.
With Phishing, an attacker typically sends an email to employees to attempt to coerce them to login to a system that is under an attackers control, enabling the attacker to capture their credentials. These emails are often well constructed, and have proved effective at duping unsuspecting employees even if they have received security training.
We have previously covered the different types of Phishing attacks that can occur.
Online brute force attacks
Online brute force attacks are where an attacker attempts to guess passwords against a live system. For instance, a common scenario is to have Outlook Web Access exposed to the internet. An attacker can attempt to spray common passwords such as “Password1” across all accounts on the system. This is often a highly effective technique.
- Influence behaviour through language. Avoiding the term “password” and instead use the term passphrase to set expectations that this should be a longer value.The length of a password has a directly influence on how difficult is to break.
- Keep current with password recommendation NCSC recommend that passwords should be composed of three random words to strike a balance between security and useability. The US National Institute of Standards also publish guidance on password security
- Protect credentials at rest. When developing bespoke systems, aim to use brute force resistant algorithms such as bcrypt, combined with password salt.
- Ensure that users receive regular security training so they know what’s expected of them, such as not disclosing their passwords to third parties or writing them down.
- Implementing strong controls around passwords should take into account the end to end credential management lifecycle. For instance, if anyone can call the company help desk to reset their password without their identity being validated, this undermines technical controls being implemented.
- Ensure default credentials are changed on all new devices and systems being used on the network.
Technical Security Controls
- Mandate the use of password manager applications. Ideally, organisations should provide a standardised method for storing passwords.
- Use Single Sign On (SSO) where possible. This allows for centralised control and audit of
- Require multi factor authentication for privileged accounts.
- Implement password filters to prevent users from attempting to set common or easy to guess passwords.
- Prohibit internet accessible systems that use single factor authentication. If there is a business requirement to use such as system, ideally this should be accessed via a VPN.
- Configure account lockout policies, and generate alerts when these lockout thresholds are crossed.
- Monitor authentication failures using a SIEM system.
How can IRM help protect your business?
Please contact firstname.lastname@example.org for more information.