Easily Prevent More Breaches by Simply Preventing Bad Passwords

A recent cyber-attack on the Canadian government was successful because of a well-known attack technique, credential stuffing. If you’re not familiar, credential stuffing is just taking credentials from one breach and using it to compromise a new organization.  It is successful because 62% of people reuse personal passwords on work systems.

News of this attack broke on Monday, August 17, 2020, and it highlights how real the cyberattack risk is for every organization. The question victims often ask themselves post-attack, “Was this preventable”?

“The credentials used in the attack came from previous, non-government of Canada data breaches. They were effective because Canadians reused old passwords on government of Canada systems.”

Scott Jones, the head of Canada’s Centre for Cyber Security

When you look at guidelines from the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST), one of the key recommendations from both is to prevent the use of passwords that are collected in public breach databases.

1. As an administrator, how do you know if any organizational passwords are contained in a list of stolen passwords? Can you prevent passwords from being used that are in a breach database?
2. Can you audit existing passwords to ensure they are not part of a breach database?

A secure password today can quickly become part of a breach database.  It’s critical that you evaluate all passwords at creation and when your breach database is updated. (You may find that a password when first checked is NOT on a breached list, but over time it may show up. Hence why it’s critical to continually check).

Back to the Basics

A password alone is not sufficient security.

Again, a password alone is not sufficient security.

Techniques used to compromise passwords are widely documented.  Don’t be fooled by the math. If an attacker is going to perform a brute force attack it will be an intelligent attack vs random guessing of 8- or 9-character password combinations. Having access to over half a billion passwords obtained from compromises provides researchers, and attackers, insight into common user behavior.

Most believe if a user leverages upper case, lower case, numbers, and symbols they will create a complex hard-to-guess 9-character password, right? What we’ve learned is a complex user password looks more like this ‘Agreement1!’ than like this ‘m2RK&3sNrG&fcI’. The problem is predictable human patterns.

1. Capital letter in the first position
2. A Symbol in the last position
3. A Numeric in the last 2 positions

With this knowledge, a brute force attack has a much smaller character search space. Simply stated, it makes it easier to guess passwords!

I’ve worked with several Stealthbits customers to understand common bad patterns they have detected among their user credentials. We’ve collectively learned there are three (3) key and consistent patterns across multiple vertical markets and geographic locations.

1. Company or Industry Terms are Popular When Creating Passwords

If you work at Oracle, should you be able to have a password containing Oracle, MySQL, Java, or ORCL (the stock symbol)?  If you said no, I agree! If you said yes, consider this:

It’s rather normal that users gravitate to using common terms. It makes perfect sense considering they often use those terms daily. Of the over 50,000 prevented passwords across 222,000 users above, ALL at least contained one (1) common phrase identified by IT.

What does this mean?

Attackers also know users pick passwords containing company and common industry phrases. This helps them narrow the pool of possible password combinations, making it more likely they guess the password. But the flip side is true as well. Preventing the use of these common terms improves security by making user passwords much more difficult to guess.

2. Horizontal Keyboard Patterns are Also Popular for Passwords

The least creative way to create a password is just clicking on ordered keys on the keyboard. “QWERTY” is an annual winner for the “Top 5 Most Common Passwords”

Nearly 80,000 instances in roughly half a year, across 285,000 users. This was eye-opening for IT, as well as management, that users are less focused on security and willing to sacrifice it to get back to work quickly. As in most organizations, the password complexity policies are a burden easily bypassed without some check-mechanism in place.

3. Surprising How Many Passwords Users Try, Show up on a Breach Database

There is no way to prevent a user from choosing a personal password at work. Asking users not to re-use personal passwords can be in-policy, but technically it’s just not enforceable. But something that is enforceable is preventing previously breached passwords from use in your environment.

The Canadian Government breach at the start of this blog could have been prevented if they actively prevented breached passwords or, at the very least, checked existing passwords against a breached database.

Not every password in a breach database would pass most corporate password policies. As an attacker, you focus on passwords that would typically ‘pass’ organizational policy. The sheer volume of passwords that were tried by users and show up in breached password databases in our above examples is scary. Over 55,000 breached password attempts found across 187,000 users in roughly 6 months. While organizational passwords are typically more valuable to an attacker than personal account passwords, organizations often require users to change passwords somewhat frequently, so that compromised password has an expiration date.

Summary

There are several measures that can be implemented to address the challenges with password security. Multi-factor authentication is a great example. Other awesome examples are what you just read about in preventing known breached passwords, industry jargon, or keyboard character sequences.

ADVICE: Do a password analysis for your organization and get answers to these basic questions:

1. How many enabled user accounts have passwords on a breach database?
2. What is the age in days or years of passwords for enabled accounts?
3. How many accounts share common passwords?

Once the issues are surfaced, develop a plan to fix them. For example, automate user notification for password changes if detected on a breach database. Next, we instruct users not to share or reuse passwords, so let’s fix service accounts or implement group managed service accounts.  Finally, if a password age is measured in years, is this acceptable to the business? Password analysis is a fantastic exercise and a proactive way to prevent being the next cyber-attack victim.

Next Steps

• Attack Catalog

Learn about Password Spraying and a multitude of other cyber-attacks. Learn how the attack works with a video tutorial and most importantly how to identify, mitigate, prevent, and recover if needed. (https://attack.stealthbits.com/)

• Credential and Data Security Assessment

Proper data security begins with a strong foundation. Find out what you’re standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure. (https://www.stealthbits.com/credential-data-security-assessment)

• StealthINTERCEPT Enterprise Password Enforcer

Password policy enforcement for Windows Active Directory providing password protection on-premises and in hybrid environments. (https://www.stealthbits.com/stealthintercept-enterprise-password-enforcer)

• Personalized Demo or Trial (https://www.stealthbits.com/free-trial/)