Contrary to popular belief, hackers don’t need sophisticated tools or special skills to break into a network. According to this Verizon Data Breach Investigations Report, a staggering 81 per cent of hacking-related breaches leveraged either stolen and/or weak passwords.
Here are three common ways passwords are putting your organisation at risk.
Default passwords are vendor-supplied and they are risky business. Default device credentials are readily available online, covering everything from operating systems to devices. Consumers and corporate employees alike often neglect the important step of changing the default passwords, leaving their environment vulnerable to attacks. Equifax learned this the hard way. Following a massive breach compromising 147.9 million users, it was found that Equifax’s staff used the default username and password to secure a portal containing sensitive customer information. The default password was one that anyone could have guessed: “admin”.
Changing the default password is the first precaution to take. Implement a process to change default passwords on all devices and services to lower the risk of hacking. It is likely that there are systems using default passwords in your organisation today – use free tools such as Metasploit or OpenVas to run a vulnerability scan on your network to identify them early before being exploited.
Year after year, we see the same terrible passwords return to the top 100 worst passwords of the year list. The worst offender of all – 123456 – remains unchanged. Common passwords carry known risks, but why do we continue to see them used in corporate environments? Many organisations use the Windows Default password policy to enforce password security, but more often than not it creates a false sense of security. The Windows default password policy only requires a minimum of eight characters, and three of the following character types: lowercase letters, uppercase letters, numbers, special and Unicode. Passwords that meet the above complexity requirements, such as Password1, Hello123 and Welcome1, provide minimal protection for your environment.
Based on the analysis of 500,000 passwords in this Global Security Report, 77 per cent of hacked passwords complied with password complexity in the Windows default password policy. This included the top common password used in a corporate environment – Password1 – which also ended up in NCSC’s top 100,000 most hacked passwords. The report further suggests that 38 per cent of passwords are only eight characters long, which can be brute-force cracked in less than a day.
We have established that Windows Default password policy doesn’t provide enough granularity, is Microsoft Fine-Grained Password Policy (FGPP) the answer? Unfortunately not. FGPP has its limitations. For example, FGPP doesn’t allow you to disallow consecutive identical characters or common character types as first/last character. You also don’t get passphrase support or the ability to create custom password dictionaries. A third-party password policy solution will offer you more flexibility, allowing you to detect compromised passwords and enforce passphrases, while banning the use of predictable password patterns.
Take a look back at publicised breaches and you’ll realise that credential theft accompanied by password reuse are often the culprit. For example, the 2012 Dropbox breach was caused by one careless employee who had used their LinkedIn password (that had suffered a breach earlier in the year) for their corporate Dropbox account. This led to the theft of 60 million user credentials. With password reuse, it only takes one compromised password to lead to a company breach. This is why it is so important, now more than ever, to block the use of compromised passwords in business systems.
How do you prevent the use of stolen passwords? The NCSC recommends using a password blacklist. A password blacklist is a list of disallowed passwords consisting of common and compromised passwords. It improves security as it prevents hackers from exploiting weak passwords. Some people build password blacklists using leaked passwords from previous breaches, others simply use a password blacklisting service that is continuously updated.
Password blacklists vary widely in size, anywhere from only a few dozen common passwords to billions of compromised passwords. The NCSC’s top 100,000 most hacked passwords can be used as a blacklist. However, it is subject to debate whether or not a blacklist of 100,000 is sufficient to defend against attacks. Ultimately, your organisation will have to decide what number strikes the right balance between security and usability.
Uncover other password vulnerabilities
Besides compromised and weak passwords, vulnerabilities such as stale administrative accounts or users with expired passwords can pose serious security risks. This free tool scans your Active Directory for weak password policies and displays interactive reports containing password-related information, such as policy usage, expirations and relative strength. For each password policy, you can drill down and see how the settings compare to various industry standards. The tool also identifies other security vulnerabilities that may have slipped through the cracks, such as stale administrative accounts or accounts that do not require passwords.
Click here for a free scan.
by Karen Brown, Password Security Expert, Specops Software