You know what? People suck at passwords. We use weak passwords, we reuse passwords. Or we write down passwords or store them in equally insecure ways. These practices make our data very vulnerable. It’s no surprise then that attackers go after them.
Of course, the password authentication process exists. Still, getting access to passwords can be really simple.
Method 1: Ask the user for their password Method 2: Try a password already compromised belonging to a user Method 3: Try a weak password across multiple users … and many more.
In 2018, hackers stole half a billion personal records, a steep rise of 126% from 2017. That’s why an organization’s password policies and requirements should be designed with the utmost precision and scrutiny.
What companies need are robust password policies that proactively identify vulnerable user accounts and prevent the use of weak passwords susceptible to password cracking. Being able to go out and discover poor passwords before the attacker finds them is a security must.
Before we dive into ways to protect your passwords, we’ll first need to understand the top password security risks.
What Are the Top Password Security Risks?
Here are some of the top password security risks:
1. Phishing/Sniffers/Keyloggers
One of the easiest ways to get access to someone’s password is to have them tell you. Through this method, hackers can even bypass the password authentication process.
Here’s how:
Attackers target users by tricking them into typing their passwords into malicious websites they control (known as phishing), by infiltrating insecure, unencrypted wireless or wired network (commonly known as sniffing), or by installing a keylogger (software or hardware) on a computer.
These methods provide fairly easy ways for attackers to steal credentials from users by either tricking them into entering their passwords or by reading traffic on insecure networks.
2. Brute Force/Cracking
A common way for attackers to access passwords is by brute forcing or cracking passwords. These methods use software or automated tools to generate billions of passwords and trying each one of them to access the user’s account and data until the right password is discovered.
A brute force attack is one in which an attacker will try all combinations of letters, numbers, and symbols according to the password rules, until they find the one that works.
Brute force attacks aren’t usually successful when conducted “online” due to password lockout rules that are usually in place. However, they can often go undetected if the attacker can obtain a copy of the system’s password file, or download the hashed passwords from a database, in which case they are very successful.
Once the attacker has a copy of one or more hashed passwords, it can be very easy to determine the actual password. This is known as offline password cracking.
Basically, cracking is an offline brute force attack or an offline dictionary attack. If you used every single possible combination of letters, numbers, special characters, etc., this is an offline brute force attack.
If you use modified “dictionaries”, huge lists of words (across multiple languages) with character substitutions, commonly used passwords, etc., this is an offline dictionary attack. If an application stores passwords insecurely (using simple basic hashing), these cracking methods (brute force or dictionary attacks) will rapidly crack (compromise) all of the download password hashes.
3. Weak Passwords
Since users have to create their own passwords, it is highly likely that they won’t create a secure password. It might be because users want to have a password that’s easy to remember, or they aren’t up-to-date with password security best practices, or they use patterns to generate their passwords like using their name or birthdate in their passwords.
While it’s relatively easy for users to remember these patterns or passwords, cybercriminals are also aware of these formulas people use to create passwords. These types of passwords typically result in weak and insecure passwords vulnerable to cracking.
4. Reuse of Passwords and Use of Compromised Passwords
Often, users tend to use similar passwords across different networks and systems which makes their passwords vulnerable to hacking.
Wondering how?
The number of cyberattacks is increasing by the day, so even if one website or system’s data is compromised, it’s likely that attackers will obtain users’ credentials. If a user uses similar passwords across different platforms, the attacker can access their data on other sites and networks as well.
5. Password Recovery/Reset Systems
Systems that allow users to recover or reset their password if they have forgotten it can also let malicious actors do the same. Remember, a forgotten password mechanism is just another way to authenticate a user and it must be strong!
Cybercriminals can mimic users and attempt to gain access to users’ accounts by trying to reset the password. Online systems that rely on “security questions” such as “birthday” or “pet’s name” are often too trivial for authentication as attackers can easily gain basic personal details of users from social networking accounts.
6. Clear Text Passwords in Code and Configuration Files
Clear text passwords pose a severe threat to password security because they expose credentials that allow unauthorized individuals to mimic legitimate users and gain permission to access their accounts or systems.
What are clear text passwords?
They can be either passwords that remain visible on the screen after being typed by the end user, or passwords stored in clear text in configuration files or codes with no encryption in place to protect the stored data.
Clear text passwords, be it as inputs or in configuration files, are highly vulnerable to password cracking and other cyber attacks.
Password Management and Protection: What You Should Do
There are many ways to protect your account against password cracking and other authentication breaches.
Here are some of the most effective, easy-to-implement, and optimal solutions to help protect your passwords:
Education
One of the greatest security threats to your organization could actually come from within your organization or company. Insider attacks have been noted as one of the most dangerous types of security attacks as they involve people associated with the organization who are quite familiar with the infrastructure.
Many cybersecurity breaches can be prevented by enforcing strong security measures such as secure passwords and following security best practices.
By educating your staff about cybersecurity, you can defend your organization against some of the most common types of cyberattacks leveled against businesses.
For instance, phishing attacks which involve emails from spoof domain names that allow attackers to mimic legitimate websites or pose as someone familiar to trick employees into clicking on fraudulent links, or provide sensitive information.
If your employees are well aware of the best security practices, they can prevent an array of cyberattacks from taking place.
Secure User Password Storage
It is critical to secure user password storage in a way that prevents passwords from being obtained by attackers, even if the system or application is compromised.
As with cryptography, there are various factors that need to be considered.
A popular concept for secure user passwords storage is hashing. It is a one-way function, which means it is not possible to “decrypt” the hash and obtain a password. Strong hashing helps ensure that attackers cannot decrypt the hash function and obtain a password.
But simply hashing passwords is not enough, you want to make it difficult for an attacker to crack these passwords if your database is broken into and the password hashes are compromised. There are two things you should do.
First, salt your passwords. A salt, (a unique, randomly generated string) is attached to each password as a part of the hashing process. If a user has a very simple password such as “passw0rd”, a random salt is attached to it prior to hashing, say. With a simple hash, an attacker just has to generate one huge dictionary to crack every user’s password. If salted, the attacker has to regenerate the least for each user (using the salt for each user). This makes the attacker’s job harder.
Additionally, rather than just using a hashing algorithm such as Secure Hash Algorithm 2 (SHA-2) that can calculate a hash very quickly, you want to slow down an attacker by using a work factor. Work factors basically increase the amount of time it takes for it to calculate a password hash. They can also increase the amount of memory it takes for an attacker to calculate a hash).
For a user, a ¼ second to calculate a hash is acceptable login time. For an attacker, who wants to calculate millions of passwords a second using specialized hardware, a ¼ second calculation time is too expensive. You can use an adaptive hashing algorithm to consume both time and memory and make it much more difficult for an attacker to crack your passwords.
Multi-Factor Authentication
Multi-factor authentication (MFA) is when a user is required to present more than one type of evidence to authenticate themselves on a system or application.
MFA may use a combination of different types of authentication evidence such as passwords, PINs, security questions, hardware or software tokens, SMS, phone calls, certificates, emails, biometrics, source IP ranges, and geolocation to authenticate users.
MFA should be used for everyday authentication. If there is resistance to this, at a MINIMUM, it should be implemented for performing sensitive actions, such as:
• Changing passwords or security questions
• Authentication after failed login attempts
• Changing email address or mobile number associated with the account
• Using a privileged functionality
• Unusual user behavior such as a login from a new device, different
time, or geolocation
• Disabling MFA
MFA is one of the best ways to defend yourself against the majority of password-related attacks, including password cracking, password spraying, and credential stuffing.
Password Recovery
Most of the applications and systems provide a password recovery system for users who have forgotten their passwords or simply want to reset their passwords. Often attackers may attempt to hack user accounts by using the password recovery system.
Remember that password recovery is a form of authentication, so the user must be able to provide evidence to prove their identity.
Use multi-factor authentication which uses a combination of passwords, PINs, and time-limited password reset tokens on registered email addresses or phone numbers associated with the user’s account to verify their identity.
Also, notify users about their password changes via email or SMS to ensure only authenticated users have access to their accounts.
Enforce Strong Passwords
Ensure that users have strong passwords with no maximum character limits. Make sure a password is a combination of uppercase and lowercase letters, symbols, and numbers. The challenge with passwords is that in order to be secure, they need to be unique and complex.
However, complex passwords tend to be difficult to remember, which means they aren’t necessarily user friendly. To maintain security while providing ease of use to users, consider using long passphrases.
Passphrases are a random string of letters that are easier to remember, but relatively longer than passwords. In general, a good passphrase should have at least 6 words and should be generated, as everyday vocabulary is often not strong enough.
For instance: “vitals.toad.nestle.malachi.barfly.cubicle.snobol”
It is recommended to use a password manager to generate unique, complex passwords for you. They also combat password reuse and ensure that each password generated is unique.
Encrypting System Passwords
Encryption is one of the most important security password features used today for passwords. On many systems, a default administrative account exists which is set to a simple default password. These are trivially easy to try and break into. DON’T USE DEFAULT PASSWORDS.
Often, a hard-coded password is written down in code or in a configuration file. It’s quite simple for attackers to simply look up these credentials in the system once they gain basic access to a system. They then use these clear text system passwords to pivot and break into other systems.
Wherever possible, encryption keys should be used to store passwords in an encrypted format.
What about the keys used to encrypt the data?
A general rule is you should avoid using keys because an attacker can easily obtain the key or your code, thereby rendering the encryption useless. You need to store keys securely in a key management framework, often referred to as KeyStore. It has two functions:
• Randomly generates keys
• Securely stores the keys
With these features, storing secret keys becomes easy. Since the KeyStore randomly generates and securely manages keys, only your code can read it, hence making it difficult for attackers to decrypt passwords.
Final Thoughts
Enforcing strong password policies is an effective way to beef up security, and enterprises should invest more time and resources into ensuring all stakeholders, including employees, third parties, and customers follow stringent password protocols.
There are many ways you can implement better password policies - enforce stringent password requirements, use tools to securely store data, use encryption, etc.
Cypress Data Defense uses next-gen tools that can discover and prevent weak passwords, protecting your organization against password cracking and other authentication based attacks.
For more information on authentication and password enforcement, you can reach out to us and we’ll ensure your data is secure.
This post was originally published at CypressDataDefense.com.
Top comments (2)
I think that this kind of approach can be interesting (if these passwords are stored properly by the service).
Another approach can be to set up a "trust device" (your phone usually) and any time, you want to login to the service with another device (your home computer for instance), you receive a notification on the trust device that will grant you access to the service from your "non-trusty" device, only for the session.
The trust device allow the user to revoke a session if the user wants it. you have total control.
That is pretty secure and very powerful.
There you are my pet peeve. Tons of sites will reject a 50 character passphrase but will be happy with 123abc@ 😡