Passwords are everywhere in the company, you may need it to manage the access control to resources, accounts or systems. The requirements regarding the management of passwords are based on complexity and policy. Both criteria ensure the quality and strength of the password, therefore the security of the protected resources… but does it really in practice?
A weak password matching a “strong” policy
During our audits, it is frequent to find weak passwords although the policy looks strong enough. For example, it is quite common to find the company name (or references to its products) used in the passwords. As an attacker has knowledge of this kind of public information, this may help her to crack them.
About 50% of the passwords found in our audits follow a common pattern: a string with a capital letter at the beginning, then some digits, usually the current or previous year and ends with a special character, the exclamation mark usually. “Excellium2017!” for example would combine both previous points.
The expiration, if it is too short, users will be frustrated and lower the security of their passwords to remember them. “August2018” is an example of common pattern found; it is easy to remember and to regularly update. On the other hand, if there is no expiration, user will not change their password at all.
How to secure the passwords in your systems
If you develop custom applications using passwords, you need to be careful choosing how the password will be managed. Be sure to store them in a secure manner (with a state of the art hashing algorithm, using salting…), the OWASP provides a complete Cheat Sheet to help the implementation of password storage as secure as possible [1].
For either applications or systems access like Active Directory, a password policy is a requirement for security but a pain for everyone. The policy defines the constraints on the length, on the charset to use, the expiration but also the usage of a history. If it is too permissive, users will be able to use bad passwords and they will. However, if it is to severe, users will find way to match it and still have a bad password.
For an Active Directory environment, Password Filter [2] provides an easy way to implement a custom Password Policy. For the application, it is best to leverage a common authentication system but sometimes, the software cannot (or should not) be linked to a central repository. In this case, you will either need to customize the code to implement your rules or look for configuration options to match the general company policy.
One way to defeat the usage of common words in passwords relies in using dictionary to identify these words during password updates. It is possible to store the list of the most common passwords and to use it as a ban list, to forbid the usage of the company name in the password. However, this should be carefully done and you have to communicate clearly about the rules. If users get too many errors when creating their passwords, they will be frustrated and will lower the security to match the requirements. Some users can use some extreme methods to reach their ends. One of our audit showed that a user changed 15 times her password to fill the password history and set back the original one. Password policies may also define a minimal password age before changing it to avoid this kind of misbehavior.
Used methods for password auditing
The goal of the password auditing is to provide an overview of the real security level of the passwords used in your systems. The most common audit is the Active Directory one. The list of NTLM hashes can be extracted from the Domain Controller, and then multiple techniques can be used to recover the password.
The “dictionary attack” is the most efficient method as it is based on a list of common passwords or words related to the company. To increase the password list, derivations can be added to the process. For example, it is common to replace letter with lookalike characters. A user may start from the word “password” and modify it to “P@ssw0rd, or “excellium” to “3xce11um”. These behaviors are well known and thus, the derivation rules will decrease the recovery time.
This audit provides valuable statistics amongst the cracked passwords, like the length of the used passwords, their robustness or uniqueness. The identification of common patterns or the usage of the company name is a useful information, regarding how the employees understand the policy and weight the risks. Based on the result of the assessment it is possible to review and enhance the password security with the password policy, but also with user awareness trainings. The trainings will allow the employees to understand what is at stake and how to create a truly strong password.
Conclusion
Even if multiple factor authentication becomes more popular and more implemented, passwords remain most of the time, the unique mean used to prove user authentication. Coveted by the attackers since this is a key to everything, it should therefore be handled securely.
A password audit gives an effective measure of the security of the passwords and the possible password policy improvement. However, weak passwords cannot be easily solved only by a technical countermeasure. It requires both a policy hardening but also user awareness. In order to change the user perception of a good password, you have to explain them what weakens the security of their password. They will often be very implied in such trainings as it also applies to their personal digital life, outside their work environment.
References
[1] Password Storage Cheat Sheet: https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
[2] Password Filters: https://docs.microsoft.com/en-us/windows/desktop/secmgmt/password-filters
