[By Darren James, Senior Product Manager, Outpost24]
Humans have made unbelievable advancements in science and technology that have stretched the imagination and changed society forever. But one seemingly mundane, albeit crucial, piece of wisdom continues to elude mankind – proper password management.
We’ve all seen the headlines about the next big breach, the majority of which can be attributed to a root cause of human interaction, including the use of compromised or stolen access credentials, such as usernames and passwords. This is clearly a chronic issue for businesses and consumers alike.
Unfortunately, this conclusion is no “revelation.” The individual remains the weakest link in the security chain. Despite countless resources for end user training and security hygiene, IT teams are still battling against the use of weak or compromised passwords creeping into their company’s network.
The reason there is such a huge focus on passwords and getting password security right is the fact that 88% of organizations still use passwords as their primary method of authentication to protect their systems.
This naturally attracts a lot of attention from cybercriminals who are focusing thoroughly on exploiting weak passwords, stealing credentials, selling them, and using them as an initial access point for breaching organizations.
There is certainly more than meets the eye when it comes to passwords. Understanding this as well as the patterns and trends of breached passwords, how they become compromised, and the most common password mistakes users make that might surprise you, will lead us along a path towards stronger password security.
Weak Passwords – How they’re exploited
Within any organization, you’d be hard pressed to find an employee who hasn’t had training in creating strong passwords. If you have, this is a serious problem. The many years of security industry advice and best practices should have hammered this home. Yet, even with these recommendations, research has revealed that the most common base terms used in breached passwords were “password,” “admin,” and “welcome” – terms one may think would be obviously off-limits to any security-savvy end user.
Weak passwords remain the gifts that hackers keep on getting. The easy entry routes into organizations, they are the low hanging fruit that can be snatched and exploited to reveal the jewels of the kingdom: sensitive data.
There are three common methods in which hackers exploit weak passwords, including:
Dictionary attacks:
Hackers use predefined ‘dictionary lists’ of likely possibilities to guess passwords or decryption keys. These could range from frequently used passwords and phrases to common terms in specific industries, exploiting the human tendency to opt for simplicity and familiarity when creating passwords. Hackers will often leverage social media platforms to gather information about specific users and their organizations, gaining insights into the potential usernames and passwords they may choose. Of course, many end users will add at least a small amount of variation to these terms, which is where brute force techniques come in.
Brute force attacks:
Brute force attacks use software to attempt all possible character combinations until the correct password or decryption key is found. While this might seem time-consuming, it can be a highly effective method against shorter or less complex passwords – especially when given a head start by using common base terms found in dictionary lists. Combining techniques in this way is known as a hybrid attack. For example, “password” could be the base term from a dictionary list. A brute force attack will try all subsequent variations such as “password, Password, P@$$w0rd,P455w0rD, Password1, Password!” and so on. This takes advantage of common variations people make to weak base terms to meet their organization’s complexity requirements.
Mask attacks:
A mask attack is a form of brute forcing, where attackers know elements of common password constructions and can therefore reduce the amount of guesses they’ll need to get it right. For example, an attacker might know many passwords are eight characters, start with a capital letter, and end with a few punctuation characters, like “Welcome1!”. So, they might only try combinations that match this pattern, reducing the total amount of passwords to attempt. Alternatively, they might know a specific company has a poor policy such as adding the current month and year to the end of passwords when rotating them. Having any sort of definitive information about the makeup of a password can greatly speed up a brute force attack.
Keyboard walks
Another common base term for passwords can be found looking at a traditional keyboard. The terms “Qwerty”, “asdfghjkl” or, “zxcvbnm” may seem like random combinations but they are simply the letters next to each other on the keyboard. Known as “keyboard walks” or “finger walks”, these are seen as quick and memorable passwords for employees. Unfortunately, they are incredibly easy to compromise. The most used keyboard walk pattern was “Qwerty,” which appeared over 1 million times in a list of 800 million compromised passwords. Even “123456” was found to be the most common compromised password in a new list of breached cloud application credentials.
Now, the notion that the password issue lies solely with the general workforce is not true. In fact, IT administrators are often equally careless when it comes to password choices. Research has revealed that out of 1.8 million administrator credentials scanned, over 40,000 admin portal accounts were using the weak password “admin” to protect access to some of the most sensitive accounts with the highest levels of access within an organization.
It goes without saying that protecting access to sensitive information must be a priority for every employee within an organization. Above all, this starts with creating stronger passwords.
But what exactly makes a strong password?
Strength, length and security
At present, the default password length requirement in the Active Directory is 8 characters, which is also the most common length for many websites. However, given the sophistication of modern cracking technology, the time it takes for hackers to crack 8-character long passwords is under 3 hours. Moreover, if an individual was to use a known compromised password, this would be cracked instantly. It is strongly recommended for organizations to force end users to create passwords that are at least 15 characters long.
While this may be a challenge for some employees to remember, a method to overcome this would be to encourage the use of passphrases consisting of three random words. Embedding special characters and using a combination of letters and numbers would only strengthen the password.
Across the board, stronger password policies are needed to prevent the use of breached, common, and easily guessable passwords entering the system. To achieve this, a multi-pronged approach is required whereby the organization has the necessary processes in place to detect compromised passwords – even those that have become breached outside of the workplace. Implementing a company-wide password policy is beneficial in achieving this outcome as there are solutions available that can be integrated with the organizations’ Active Directory to prevent the use of keyboard walks, passwords that don’t meet a set criterion for length and/or complexity, or passwords that have been detected in compromised lists.
Scanning the Active Directory passwords against breached passwords lists should be conducted continuously, and if a compromised password is being used within the organization, the IT team should be alerted instantly so they can immediately enforce the end user to change it at their next logon.
Yes, the password continues to be a significant issue for IT teams and a massive weak link in the defense for many businesses. With that said, by following security best practices and deploying the security parameters, there will be drastic improvements in helping the IT team achieve password peace of mind for the entire organization. While it’s hard to imagine 2024 being the year total password security is achieved, it can certainly be something IT teams strive for going forward.
