Passwords are inherently the weakest form of authentication, yet they remain the most prevalent. Many organizations realize that moving beyond this single point of vulnerability is required but replacing passwords or adding multi-factor authentication (MFA) to all use cases can be daunting if not impossible. As such, it is undoubtedly important to enforce strong password policies to ensure that this first and often time’s only line of defense can withstand common attacks.
In recent years, National Institute of Standards and Technology (NIST), National Cyber Security Centre (NCSC), Microsoft and analyst firm Gartner have put forth password best practices that recommend moving away from enforcing character composition and password expiry due to users falling into predictable patterns, while emphasizing the use of password blacklists. Following such best practices is a good starting point, however, IT departments should consider potential risks before implementing these policies.
For example, if a password is set to never expire how will the user be prompted to change it if it has actually made it on a list? Additionally, on average it takes an organization over 200 days to realize they have been breached, and setting password expiry would limit some of that exposure. Attackers typically exploit a vulnerability whether it’s neglecting to patch or an unassuming user who falls prey to a phishing scam. Once in, they continue to worm their way in through the network, exploiting other low hanging fruit.
If we take a look back at some past publicized breaches it becomes evident that credential theft accompanied by password reuse and vulnerabilities in Active Directory such as insecure privileged accounts are often the culprit.
For instance, the 2014 Yahoo breach which affected 500 million user accounts was found to be caused by hackers using a list of usernames and passwords acquired from a third party server to penetrate user accounts and acquire more names and email addresses. It would be remiss to not mention that Yahoo was originally breached in 2013 which led them to admit that all 3 billion user accounts had been compromised in October 2017.
The 2016 Github breach exposed developer accounts due to a password stuffing attack. Online publications point to the LinkedIn breach which dumped over 100 million usernames and passwords online just a month prior to the Github attack. Other password reuse attacks that have pointed to LinkedIn as a potential source include the following 2016 breaches: GoToMyPC, Carbonite and TeamViewer.
With so many user records including usernames and passwords readily available online, and the fact that over 80% of users reuse their passwords it isn’t surprising that password stuffing and/or password spraying attacks may very well be some of the main drivers behind the accelerated pace of security breaches.
Remove the bad apples
To remove the easy pickings, beyond patching and installing the proper malware, IT departments really should toe the line between new and traditional password and Active Directory security best practices. To ensure this, IT departments should consider the following steps:
- Create varying password policies: A single policy or a one-size-fits-all approach for all users constituencies will leave your organization exposed. Take into account privileged accounts and C-suite accounts which often override IT security policies.
- Use character composition rules where needed, per the above, to increase randomness in order to reduce the success rate of brute force attacks.
- Block the use of common password construction methods such as keyboard patterns/walks (e.g. qwerty), use of user or org name, use of numbers or symbols in the beginning and end of passwords, use of exact or partial leaked passwords.
- Remove other password vulnerabilities such as stale admin accounts, accounts that do not require or are using expired passwords, accounts that do not leverage password complexity or leaked passwords.
And now the question is, how easily can you do this? Being able to identify vulnerabilities quickly on a continuous basis is the key. Info security needs to take password and Active Directory easy pickings into account. The evolving threat climate, dictates this. Password policy should never follow a ‘set it and forget it’ approach given the role passwords play in organizations. And of course with a password in hand and some pretty naïve Active Directory missteps, organizations can fall prey to attacks which can lead to some pretty damaging consequences. Don’t let this be your organization.
Spot blatant weaknesses
Easily spot some of the most common password and Active Directory vulnerabilities with Specops Password Auditor. Download it for free today to quickly identify the following insights:
- How current password policies stack up against industry standards and best practices including NIST, PCI and more.
- Relative password policy strength against brute force attacks.
- Stale or inactive admin accounts.
- Accounts with expired or about to expire passwords.
All of this information is available in extractable reports and graphical display which ensures that you can spot and take action on these vulnerabilities straight away with Specops Password Policy including enforcing various password blacklists. Download Specops Password Auditor for free today to take action on any of the above weaknesses.