This short 2 minute video explains what’s important and mistakes to avoid
Passwords remain the most widely used authentication solution for verifying a user’s identity. As the “something you know” element in a multi-factor authentication (MFA) architecture, passwords remain the most common first factor, even though they are by far the weakest element in available authentication technologies on the open market.
In a bid to protect your users from online identity theft, it’s prudent to regularly review your authentication solutions. This includes the use of passwords and the policies affecting their implementation and utility. They should be capable of withstanding an extensive barrage of attacks, without driving insecure user behaviour due to their complex and unfriendly nature.
Let’s quickly revisit what passwords are. As a sequence of characters that are entered into an IT system to verify a user’s identity, in their simplest form they can be any length and any character combination.
In the beginning
In many IT systems the default security policy for passwords has not evolved since they were first introduced. Consequently, it is still possible for users to set their password to simple, easily guessable words such as their name, their birth date or their pet’s name.
Even system administrators make poor password choices, with the most used temporary password being Password1 – a problem when it remains unchanged for an extended period. It is clear why these passwords are insecure, even an entry level attacker could guess them – with access to the user’s public Facebook or LinkedIn profile and a bit of time to enter a few guesses.
The introduction of mandatory strong passwords
Many organisations are now promoting the use of strong passwords, and where possible, configuring their systems to enforce complexity rules that keep the user from choosing ones that may be guessed easily using common attack techniques, such as a dictionary attack. You can read about common forms of attacks to steal passwords in our MFA blog.
The problem is, from a user’s perspective, choosing a good password is harder than it might seem (and instantly forgettable if it’s not in your password repertoire). Policies can be written to help users make better choices, with IT teams implementing technologies that prevent insecure choices so that identity resilience is inherent across their user base. Matching algorithms work to a certain extent, but many of these algorithmic checks fail to spot dictionary words hidden in an envelope of special characters and numbers, such as the user’s name with a capital letter at the beginning, followed by a number and an exclamation mark. Choosing a password such as Andrew1! allows the user to bypass the organisation’s complexity checker, while still leaving Andrew exposed to relatively unsophisticated dictionary attacks.
Troy provides many valuable resources on his website, such as a file containing the top 100,000 passwords. IT administrators can use these passwords as the as the foundation of their deny lists.
While strategies have been introduced to enforce stronger passwords, there are other challenges to be managed.
Passwords reuse and shared accounts
Password reuse is a major risk factor for organisations and their users. Once an attacker steals a victim’s password and proves it works, they will gather intelligence on any additional services the victim uses and attempt to authenticate using the same breached credentials.
Unencrypted passwords and password hashes
Unfortunately, an enormous number of people reuse passwords across multiple online accounts, believing that if the password is complex enough then they remain protected.
The reality is, it is not always the strength of the password that exposes it to an attack. There may be a problem with the implementation of security on the website or service, whereby attackers steal unencrypted passwords or a set of password hashes (encrypted passwords stored on the server), allowing the attacker to spend as much time as they want trying to figure out what the passwords are for all that site’s users.
Running tools that use dictionaries and brute force attacks against these hashes will almost certainly yield results the hacker can then reuse against other online services or even against the user’s university or employer.
Shared accounts increase the attack surface
Shared accounts are a common problem for organisations, particularly where there is a shared function or people job share – with multiple people logging in to the same account. This exposes an organisation to several risks, such as the password complexity issues and reuse issues that we’ve already discussed. However, it also means that the attack surface (the breadth of online exposure) is significantly increased.
In a post breach investigation that involves shared accounts , an organisation loses individual accountability and traceability. This means it would be unable to ascertain which of the users were attacked, since there is no way to tie the user account to the actions of the person who was using it at any given time.
It’s especially common in networks where there’s a corporate component and an operational or Industrial Control System (ICS) component. In such deployments, attackers have been able to breach the corporate network and move laterally to the internal network due to poor network segmentation, where a single weak point (such as a password from one of these lists on a box in a DMZ) has enabled traversal. In the first occurrence of the TRITON/TRISIS malware, the attacker breached the external perimeter VPN and then pivoted internally using RDP due to poor segmentation.
Password managers – the good and the bad
Resorting to a password manager tool that stores complex passwords on your users’ behalf is a very good thing. However, there are a few issues that can affect risk exposure.
Password managers rely on one incredibly secure account that opens access to all other accounts owned by the user. If that one account is somehow breached, the user is in a world of pain, as every online service they use is now at risk. Relying on these sorts of services means you are trusting that the vendor has done all they can to create a secure application and that there are no vulnerabilities in the password manager that many allow an attacker the means to bypass the secure front door.
We would recommend that password managers certainly have their place in the world of authentication, but it is best to build them into a more layered approach to security, so they compliment your architecture rather than being the primary control.
Raise cyber security awareness
Since passwords are likely to be around for some time yet, it is vitally important that as part of your organisation’s cyber security awareness training, password security is a topic of focus.
When undertaking awareness training, it is worth remembering that it’s not just about how users can create strong passwords, but educating users on why certain things are important. Show your users Troy Hunt’s Have I Been Pwned website and point them to the guidance on passwords. Encourage them to be proactive and test all their personal email addresses to see if their accounts have ever appeared in a breach. It’s an eye opening, worthwhile exercise. Moreover, this kind of learning sticks rather than conveying a set of abstract rules for password complexity.
How to check if usernames have been breached
It is possible, using sites like Have I Been Pwned, to programmatically check all your organisation’s usernames to see if any have been found in public breaches. Many people use their work email for registering for private services, or even business services that are not connected to the internal domain.
Support to implement MFA and SSO
If you’d like to explore how Catalyst can help implement MFA and SSO in your organisation, we’d love to hear from you.