In my day-to-day work as a penetration tester, I find it often isn’t the latest vulnerability or exploit that compromises...
most organisations: It’s weak passwords.
Passwords are everywhere: Internal logins, remote access products, laptops and smartphones all require users to have passwords for authentication. As pen testers, we simulate many situations for our clients, including stolen laptops, remote access and internal “disgruntled employee” situations. Whether it is through simple password guessing techniques or cracking password hashes, we tend to find at least one account with a simple password such as “password”, “Password123”, the organisation's name, or the standard password that admins set when a user has forgotten his or her password.
When creating a secure password, there's a myth that they must be at least eight characters in length, be alphanumeric and contain special characters in order to be secure. This causes users to create passwords that are not only difficult to remember, but also easy for attackers to crack. This is due to the fact that computers can crack short passwords effectively, regardless of complexity. (Ophcrack, free software for cracking Windows password hashes, boasts a greater than 90% success rate for cracking standard Windows XP passwords.)
Supplementing passwords with other factors is a common way to handle this problem. Password supplementation is based around three basic factors: something you know, something you have and something you are.
These technology options will not protect organisations if users reuse
systems that use only single-factor, password-based authentication.
The popular token-based two-factor authentication requires the user to provide his or her password (something you know) as well as a one-time code, which is usually supplied via an electronic token or software (something you have), to gain access. This mechanism is widely deployed on the Internet to protect remote access services, VPN endpoints and sensitive Web-facing infrastructure, and I have seen it deployed inside the corporate network to protect crucial assets. If the user reveals or an attacker gains a password, it is essentially useless without the code-generating token. Implementing token-based two-factor authentication will also stop attackers from simply guessing passwords against a service. Biometrics generally rely on a password (something you know) and a physical attribute, usually a fingerprint, iris scan or facial recognition (something you are). The implementation of biometrics is often in hardware and mostly seen in laptops. Biometrics are excellent for protecting mobile devices, especially laptops, from attacks against the login process.
Yet these technology options will not protect organisations if users reuse the same insecure passwords on other systems that use only single-factor, password-based authentication. For example, removing the hard drive from a biometric-protected laptop will render that factor of protection useless, and allow the disk contents to be read, including any password hashes present. Using an encryption system to encrypt the entire hard disk, however, will render the hard disk unreadable to anyone who doesn’t have the password to unlock the encryption.
Solutions for password management
It may be infeasible to implement multifactor authentication throughout an entire network, so what are the other options? User awareness training is the first; particularly teaching users why passwords are important and how they can choose secure, easy–to-remember passwords. The passphrase (a passphrase is the use of multiple words or a sentence to form the password) “I’m not too keen on my password” is much easier to remember, and much stronger than a password like “x5Lsd£f/” with only a few characters. This is due to the amount of time password-cracking software will have to cycle through each character in order to guess the correct one. Changing internal corporate password policies to enforce the use of passphrases will not only help secure your data, but may reduce help desk calls for forgotten passwords, as well.
When pen testing, we have seen positive results from conducting awareness training, with a significant increase in password (or passphrase) strength after users have undertaken the training.
Making your case for improving password security
The ideas discussed above will help secure your assets, but convincing management to fund the products required to implement them can be difficult. Start by explaining what these passwords actually protect, and how much this information would cost the company if it were in the wrong hands. With the appropriate consent, you can use any number of tools to crack a selection of password hashes gathered from your environment (I wouldn’t keep the usernames, for privacy reasons). Presenting your findings in a way that shows how many passwords were cracked in a short amount of time (for example, five hundred passwords cracked in five minutes) can be powerful. Finally, describe the ideal technology implementations -- such as multifactor authentication -- and how they serve to increase password security. Keeping all this information in a short presentation (say, five slides) will get all the required information across in a fashion that can drive the important points home whilst keeping the audience’s attention.
About the author:
Mike McLaughlin is a penetration tester working for First Base Technologies, an information security consultancy in the UK. Mike's daily work consists of both internal and external network-based penetration testing, Web application penetration testing, and social engineering.