A recent cyber-attack on the Canadian government was successful because of a well-known attack technique, credential stuffing. If you’re not familiar, credential stuffing is just taking credentials from one breach and using it to compromise a new organization. It is successful because 62% of people reuse personal passwords on work systems.
News of this attack broke on Monday, August 17, 2020, and it highlights how real the cyberattack risk is for every organization. The question victims often ask themselves post-attack, “Was this preventable”?
“The credentials used in the attack came from previous, non-government of Canada data breaches. They were effective because Canadians reused old passwords on government of Canada systems.”Scott Jones, the head of Canada’s Centre for Cyber Security
When you look at guidelines from the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST), one of the key recommendations from both is to prevent the use of passwords that are collected in public breach databases.
- As an administrator, how do you know if any organizational passwords are contained in a list of stolen passwords? Can you prevent passwords from being used that are in a breach database?
- Can you audit existing passwords to ensure they are not part of a breach database?
A secure password today can quickly become part of a breach database. It’s critical that you evaluate all passwords at creation and when your breach database is updated. (You may find that a password when first checked is NOT on a breached list, but over time it may show up. Hence why it’s critical to continually check).
Back to the Basics
A password alone is not sufficient security.
Again, a password alone is not sufficient security.
Techniques used to compromise passwords are widely documented. Don’t be fooled by the math. If an attacker is going to perform a brute force attack it will be an intelligent attack vs random guessing of 8- or 9-character password combinations. Having access to over half a billion passwords obtained from compromises provides researchers, and attackers, insight into common user behavior.
Most believe if a user leverages upper case, lower case, numbers, and symbols they will create a complex hard-to-guess 9-character password, right? What we’ve learned is a complex user password looks more like this ‘Agreement1!’ than like this ‘m2RK&3sNrG&fcI’. The problem is predictable human patterns.
- Capital letter in the first position
- A Symbol in the last position
- A Numeric in the last 2 positions
With this knowledge, a brute force attack has a much smaller character search space. Simply stated, it makes it easier to guess passwords!
I’ve worked with several Stealthbits customers to understand common bad patterns they have detected among their user credentials. We’ve collectively learned there are three (3) key and consistent patterns across multiple vertical markets and geographic locations.
1. Company or Industry Terms are Popular When Creating Passwords
If you work at Oracle, should you be able to have a password containing Oracle, MySQL, Java, or ORCL (the stock symbol)? If you said no, I agree! If you said yes, consider this:
|Name||# Prevented||Time Range|
|Customer 1 (90K Users)||30,048||236 days|
|Customer 2 (110K users)||18,539||180 days|
|Customer 3 (22K users)||1,688||60 days|
What does this mean?
Attackers also know users pick passwords containing company and common industry phrases. This helps them narrow the pool of possible password combinations, making it more likely they guess the password. But the flip side is true as well. Preventing the use of these common terms improves security by making user passwords much more difficult to guess.
2. Horizontal Keyboard Patterns are Also Popular for Passwords
The least creative way to create a password is just clicking on ordered keys on the keyboard. “QWERTY” is an annual winner for the “Top 5 Most Common Passwords”
|Name||# Prevented||Time Range|
|Customer 1 (90K Users)||21,896||236 days|
|Customer 2 (110K users)||34,557||180 days|
|Customer 6 (85K users)||23,241||120 days|
3. Surprising How Many Passwords Users Try, Show up on a Breach Database
There is no way to prevent a user from choosing a personal password at work. Asking users not to re-use personal passwords can be in-policy, but technically it’s just not enforceable. But something that is enforceable is preventing previously breached passwords from use in your environment.
The Canadian Government breach at the start of this blog could have been prevented if they actively prevented breached passwords or, at the very least, checked existing passwords against a breached database.
|Name||# Prevented||Time Range|
|Customer 7 (55K Users)||18,577||240 days|
|Customer 2 (110K users)||29,854||180 days|
|Customer 3 (22K users)||7,002||60 days|
There are several measures that can be implemented to address the challenges with password security. Multi-factor authentication is a great example. Other awesome examples are what you just read about in preventing known breached passwords, industry jargon, or keyboard character sequences.
ADVICE: Do a password analysis for your organization and get answers to these basic questions:
- How many enabled user accounts have passwords on a breach database?
- What is the age in days or years of passwords for enabled accounts?
- How many accounts share common passwords?
Once the issues are surfaced, develop a plan to fix them. For example, automate user notification for password changes if detected on a breach database. Next, we instruct users not to share or reuse passwords, so let’s fix service accounts or implement group managed service accounts. Finally, if a password age is measured in years, is this acceptable to the business? Password analysis is a fantastic exercise and a proactive way to prevent being the next cyber-attack victim.
Learn about Password Spraying and a multitude of other cyber-attacks. Learn how the attack works with a video tutorial and most importantly how to identify, mitigate, prevent, and recover if needed. (https://attack.stealthbits.com/)
Proper data security begins with a strong foundation. Find out what you’re standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure. (https://www.stealthbits.com/credential-data-security-assessment)
Password policy enforcement for Windows Active Directory providing password protection on-premises and in hybrid environments. (https://www.stealthbits.com/stealthintercept-enterprise-password-enforcer)
Rod Simmons is VP of Product Strategy at Stealthbits Technologies responsible for the vision and strategy of their Active Directory Management and Security solutions. Rod has been in the technology space for over 20 years.
Prior to joining Stealthbits, he served as Director of Product Management at BeyondTrust responsible for the Privileged Access Management products. He has also held positions leading Solution Architects and Product Managers at Quest Software and Netpro Computing Inc.