What’s The Problem?
Today, with the Internet, social media, personal computers, online banking and everything else that exists, end-users need to create and maintain a large number of usernames and passwords for all of the accounts they have. This begins to create a problem. The many accounts we need to remember leads us to want to share passwords between different platforms, potentially including our work accounts. This is just one of the few contributors to the many password problems that exist today.
Unfortunately, there’s no native way for a company to enforce that the password an end-user is using is unique to that account. Password complexity rules can only ensure that the password set in Active Directory is ‘complex’, but by no means was it not utilized with one of their personal accounts.
Beyond sharing passwords between work and personal accounts, administrators may end up sharing passwords within their Active Directory environment. There have been plenty of times I was engaged with a customer assessing the password hygiene of their environment where we identified a user, “UserA”, was sharing a password between their ”UserA” account and their “UserA-adm” account. This is obviously a major concern. If someone were to get a hold of the non-admin account’s password, they could eventually find out through some reconnaissance that UserA has an admin account. They would try to gain access to that account as well.
Sharing passwords between shared mailbox accounts and meeting rooms is potentially less of an issue, but still a concern and something I’ve come across. Everyone needs to know the passwords to these accounts. Having them all shared makes it easier on the end-user, but what if, due to some poorly configured AD permissions, one of these accounts had access to do something they shouldn’t? Sharing passwords between these accounts gives an attacker a much larger attack vector. This is something we should be trying to nip in the bud.
While shared passwords are definitely a major concern, and are just as likely to end up in an attacker’s password dictionary from another platform that was breached, weak passwords are just as concerning. Password complexity rules only allow you to prevent so much. Enforcing length, character types (i.e. uppercase and lowercase letters, numbers, and symbols) and reuse can only take you so far. Preventing a user from using things that are easily guessed (e.g. their name, repeating characters, and patterns) is a huge part of cleaning up the password problem that may exist in your environment.
The latest special publication 800-63B has an appendix devoted to the ‘Strength of Memorized Secrets’. These guidelines seem to contradict a lot of what we previously deemed necessary for good password hygiene. I will summarize my interpretation of the appendix below:
- Compare passwords against previous breaches
- Extremely complex passwords are not as effective as we thought
- Measures to prevent brute force attempts (rate-limiting) are more effective than complex and long passwords
- Users are encouraged to use ‘passphrases’, which means a large length and all special characters (including spaces) should be allowed
- Complexity rules force users to behave predictably (e.g. ‘password’ becomes ‘Password1!’)
- Prevent specific words such as the company name, the end-users name, etc.
These changes to NIST guidelines are pretty big, especially because they’re recommending the comparison against previous breach dictionaries and implementation of rate-limiting policies to prevent brute force attacks.
Types of Password Attacks
There are plenty of ways an attacker can try to ‘attack’ your credentials. Most, if not all, of these vectors, can be locked down to an extent with proper training and security measures.
- Social Engineering – Phishing and other social engineering attacks are the primary sources of an attacker getting into your environment. A chain is only as strong as its weakest link, and that weakest link is one of your end-users. Proper training on phishing and other social engineering attacks will go a long way with your end-users.
- WDigest – Disabling WDigest across your environment to prevent plaintext passwords from being stored in memory is a big step in the right direction. If an attacker is able to get on a machine with local admin privileges, giving them the plaintext password along with a hash in memory will become much more dangerous as they’ll now have access to any interactive logon portals exposed in your environment.
- DCSync – Leveraging Active Directory permissions to perform a DCSync is one way an attacker can compromise credentials from your environment. Ensuring that only the necessary accounts have the capability to replicate your domain is an effective measure against DCSync attacks.
- Password Spraying – Password spraying attacks are a type of brute-force attack. Attackers use them to guess the passwords of user accounts in your environment. Rate-limiting policies will help prevent or slow down the success of a password spraying attack.
STEALTHbits has a few solutions that can help you understand and improve the state of your environments password hygiene. There are two products I will be covering that will assist in these efforts:
As its name suggests, if you’re not familiar with StealthAUDIT, it’s a tool used to audit the current state of various parts of your environment. StealthAUDIT for Active Directory has a job that will identify weak passwords, shared passwords, and passwords stored with weak or reversible encryption. A weak password is one that was identified to be found in our dictionary of compromised plaintext passwords. This list is curated from various sources on the internet. Identifying these accounts and notifying or enforcing a password reset with a customized workflow is a surefire way to prevent various credential-based attacks.
In the upcoming StealthAUDIT release, we have plans to drastically enhance the weak password jobs capability to be customized. Our new data collector will easily allow an end-user to specify a dictionary they want to use to compare passwords against. This includes one as large as the ‘Have I Been Pwned’ 18GB breach dictionary. The new data collector will support sorted and unsorted NTLM hash dictionaries as well as plaintext password lists. This allows you to meet the NIST guideline to check current passwords against previous data breach dictionaries.
StealthINTERCEPT’s Enterprise Password Enforcer allows an organization to enforce more targeted password policies. Being able to enforce policies that go beyond native Active Directory group policies can help meet the NIST guidelines. EPE allows you to prevent passwords found in our STEALTHbits password dictionary. This can further your efforts of preventing weak, compromised passwords from being set. Beyond that, EPE allows you to create specific rules for passwords being set. Some of those rules include components found in the NIST guidelines, such as disallowing a username in the password, blocking repeating patterns (e.g. aaa, 111), blocking sequential characters (e.g. qwerty), blocking specific text (e.g. stealth or your companies name). See the screenshot below for all the configurable rules in EPE.
Preventing Password Plights
To recap, there are a few problems with passwords, and most of them involve the difficulty an end-user has in remembering all of their credentials and information across various platforms, including Active Directory. Weak passwords, shared passwords, and previously breached passwords are all major concerns when it comes to problems with passwords. Beyond those problems, there are various types of attacks a malicious actor may take against you or your end-users to try and compromise credentials. This ranges from a simple social engineering attack all the way to a DCSync. Implementing measures to secure your credentials is pertinent to the security posture of your organization. Going beyond, and working hand-in-hand with some of those measures, comes StealthAUDIT for Active Directory and StealthINTERCEPT Enterprise Password Enforcer. Using both of these tools to identify and prevent weak, compromised passwords from being set in your environment can help stop attackers using dictionary-based attacks in their tracks.
Kevin Joyce is a Senior Technical Product Manager at Stealthbits Technologies. He is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Kevin is passionate about cyber-security and holds a Bachelor of Science degree in Digital Forensics from Bloomsburg University of Pennsylvania.