System and security administrators and information system auditors are often faced with the task of providing an adequate level of IT assurance for their own enterprises or those of their clients. This daunting challenge has become a high-profile endeavor as enterprises of all sizes find themselves on the front lines defending against multiple threat events, including improved ransomware, attacks against personally identifiable information (PII) and intellectual property, and even nation-state-sponsored global cyberwarfare.
In all these threat scenarios, the most common technical attack method is defeating credentials and authentication mechanisms, which is the easiest way to perpetrate a successful breach. Critical patching, solid segmentation and boundary controls, and intrusion prevention are all critical controls. But with a set of stolen credentials or bypassed authentication, a validated user on the system can sidestep these and many other security safeguards. Based on thousands of penetration tests, it has been demonstrated that at least one set of credentials (and usually more) can be compromised in approximately 75 percent of engagements. The Twitter breach of 2020 is currently being examined. According to Twitter, “The attackers successfully manipulated a small number of employees and used their credentials to access Twitter’s internal systems, including getting through our two-factor protections.”1 Verizon’s 2020 Data Breach Investigations Report states, “Criminals are clearly in love with credentials, and why not since they make their jobs much easier?”2
The perspective of penetration testers’ on the password problem is more offense-oriented than the typical risk management mindset of systems administrators, security engineers or IT auditors. Penetration testers are not experts at planning, building or managing password solutions, but they are experts at defeating identification, authentication and access controls. By examining password security from an attacker’s perspective, effective solutions can be devised to frustrate professional hackers.
Password Policies Are Tough to Manage
The requirements of password policies can be daunting, especially if they demand long, complex passwords with frequent changes. Some of these requirements are so demanding that they can result in weakened security, as users choose passwords that are easy to remember (and thus guess) and then store them insecurely (leaving them vulnerable to theft).
For users, the ideal password is easy to remember (or to otherwise access) and easy to type. For support personnel, the ideal password is one that generates few help desk calls. But for security personnel, the ideal password is hard to crack, hard to guess and augmented by two-factor authentication (2FA), and all passwords must be securely encrypted in transit and either encrypted or hashed at rest.
What Makes a Password Strong?
Consider the following password: 1Ns@n3Pw. This password is eight characters long and contains plenty of character substitutions that make it complex. But in spite of its complexity, this is not a strong password. The typical US keyboard has 95 characters (uppercase letters, lowercase letters, numbers and special characters, including space). Thus, a one-character password would require up to 95 guesses to find the cleartext password, a two-character password would require up to 952 (95 × 95) guesses and so forth. An eight-character password, like the example provided, would require up to 958 guesses to crack.3 Although 958 is a large number, modern hackers can employ password attack tools on specialized hardware that can make up to one trillion guesses per second.4 Even at a rate of 800 billion attempts per second, an eight-character password, protected with typical Active Directory password database hashing would take only 2.3 hours to crack.
One of the best ways to make a password strong is to make it long—15 characters or more—plus add some complexity so that it is also hard to guess. For example, P@ssw0rdP@ssw0rd is 16 characters long and would not be in a hacker’s top 10 guesses, but it would still be too easy for a cracking computer to “guess” when supplied with the valid password hash. In contrast, consider the following passphrase: We use l0ng passphrases. This password is 24 characters long and contains a numerical substitution and several special characters (spaces and a period). This password, safely stored within the enterprise’s Windows Active Directory domain, would require up to 9524 guesses to crack. At an offline attack rate of 800 billion guesses per second, it would take up to 1.3 × 1028 years to exhaust the entire 95-character key space and crack the password. (By comparison, the estimated age of the universe is only 1 × 1010 years.)
Even better than a passphrase is a long, pseudorandom string of characters generated by a password management application such as LastPass, Keeper or KeePass. At most (in the absence of token-based or biometric authentication), a typical end user should have to remember only three passwords:
- A long, unique, difficult-to-guess passphrase to decrypt the computer’s drive
- A long, unique, difficult-to-guess passphrase to log in to the initial primary user account
- A long, unique, difficult-to-guess passphrase to log in to the password manager
All other credentials should be long, pseudorandom strings autogenerated by a password manager.
Even better than a pseudorandom string generated by a password manager is augmenting that password with multi-factor authentication (MFA). This usually takes the form of 2FA, which combines the password one knows with something one is (e.g., a retinal or fingerprint pattern) or something one possesses (e.g., a phone or a fob). A secret question is not considered a form of 2FA because it is merely one more thing one knows and not something one is or possesses.
Defeating Password Controls
Attackers have a plethora of tools for defeating passwords. Some of the most common techniques hackers employ to capture credentials include finding, intercepting, cracking, guessing, passing, relaying, requesting and bypassing 2FA. Before examining these techniques, some common terms should be defined.
Symmetric Encryption
Symmetric encryption is a mathematically proven
means whereby a specified cryptographic key and
algorithm are used to transform a piece of plaintext
data into a seemingly unintelligible state, also
known as ciphertext. Unlike hashing, this
transformation process is reversible, provided the
cryptographic key used for the original encryption is
available. Encryption is used when the
confidentiality of the plaintext needs to be protected
and the contents retrieved later.
Hashing
A hashing function will transform plaintext into
unintelligible output using a specified algorithm.
When a hashing algorithm is properly implemented,
there is a one-to-one match between cleartext input
and hashed output. Unlike encryption, hashing is
intended to be a one-way mathematical function; by
design, there is no cryptographic key that can be used
to retrieve the original cleartext form. This makes
hashing a logical choice for storing passwords. When
attempting to log in to a system, the provided
password simply needs to be hashed using the same
algorithm and compared with what is stored.
Hash Cracking
Hash cracking is the process of attempting to find
the cleartext input that resulted in the hashed value.
This takes advantage of the fact that hashing needs
to have a one-to-one match between any given input
and output. Attackers use dedicated dictionaries
containing millions of cleartext inputs when
attempting to “guess” the current cleartext value.
Salt
Salt is an additional piece of information
incorporated into modern hashing algorithms. Over time, attackers have built large look-up dictionaries
known as “rainbow tables” that contain
precomputed values for millions of cleartext inputs
and hashed outputs. To combat rainbow tables and
increase the computational difficulty of cracking
hashes, a salt can be added.
FINDING PASSWORDS CAN BE HIT OR MISS FOR ATTACKERS, BUT SUCCESS HAPPENS MORE OFTEN THAN ONE MIGHT EXPECT.
Finding Passwords
Finding passwords can be hit or miss for attackers, but success happens more often than one might expect. Attackers commonly look for weakly protected credentials stored in Internet information services (IIS) webserver web.config and application .ini files, operating system memory, and web browsers’ autocomplete history or password manager and hard-coded in applications. These locations are becoming less common as developers adopt secure coding practices, but the sheer volume of older code with passwords in cleartext is still staggering.
Common end-user password storage targets include Word and Excel files, email inboxes and sent boxes, and even sticky notes. Many people still have not migrated to password managers and use the old-school Excel spreadsheet storage method. An attacker who gains even the most limited privileges on a domain can often perform fruitful searches for filenames such as “password” and “confidential,” and the amount of sensitive information stored in email inboxes and sent boxes never ceases to amaze penetration test teams. One successful phishing attack that results in credentials that grant email access can yield a treasure trove of sensitive information at rest (even if the email was encrypted during transmission), typically including large amounts of PII, protected health information (PHI) or credit card data, and sometimes even new passwords to additional systems.
Intercepting Credentials
Credentials are constantly in motion across wires and
airwaves and between users, servers and services.
The two most common ways of intercepting
passwords are gaining a “man in the middle” (MiTM)
position and exploiting promiscuous protocols.
A typical example of establishing an MiTM position is poisoning Address Resolution Protocol (ARP) tables in a network switching device. By poisoning the switch’s ARP table and getting it to forward traffic to an unauthorized port (it is ultimately forwarded to its intended destination, so no one is the wiser), a hacker can wait patiently for a password hash to come across the wire, then pull that hash offline for cracking attempts. In the age of working from home or on the road, every untrusted network (e.g., airport, hotel or even home Wi-Fi) has the potential to expose the enterprise to risk from MiTM attacks. And if the captured password hash is for a password that is fewer than 15 characters or otherwise easy to guess, it is susceptible to cracking. In addition, MiTM attacks reveal passwords, PII and credit card data moving across the wire in cleartext. All enterprises should make it a priority to retire any applications that do not support encrypted browser, tunnel or file transfer services.
ALL ENTERPRISES SHOULD MAKE IT A PRIORITY TO RETIRE ANY APPLICATIONS THAT DO NOT SUPPORT ENCRYPTED BROWSER, TUNNEL OR FILE TRANSFER SERVICES.
Promiscuous protocols are those that “blurt out” too much information, often including password hashes. These protocols are an odd mix of old 20th century protocols (e.g., Network Basic Input/Output System–Name Service [NetBIOS-NS], Windows Proxy Auto Detect [WPAD]) that were not designed with security in mind and newer protocols (e.g., Internet Protocol Version 6 [IPv6], Link-Local Multicast Name Resolution [LLMNR], Multicast Domain Name System [MDNS]) that suffer from vulnerable default configurations. Regardless of the vintage of the protocol, a promiscuous one that can be tricked into sending a password hash to an unvetted recipient can result in a breach if the original password is not long enough and is not difficult to guess.
Cracking Password Hashes
Typical credential interception involves capturing
password hashes, not cleartext passwords. An
attacker who harvests a password hash can take it
offline for cracking. Given the ability to make 800
billion guesses per second and the availability of
password dictionaries, this is often an attacker’s
quickest and easiest route to defeating the weakest
subset of passwords.
An alternative cracking method involves exhausting all possible combinations of characters by brute force, which provides a comprehensive defeat of all shorter passwords. This technique can be used with an eight-character password (such as the previous example), which would require only a few hours to crack, regardless of complexity.
In addition, for common hashing types that do not employ a unique salt value (additional random bits), attackers can use rainbow tables. However, sufficient salting in the hashing algorithm, as well as sufficient password length, can defeat rainbow table attacks. If a password is long enough, it is simply such a large key space that the storage and look-up time becomes unfeasible. For example, in early 2020, rainbow tables for the entire nine-character key space using the Windows New Technology Local Area Network (LAN) Manager (NTLM) hashing algorithm were rereleased and occupy 6.7 terabytes of storage.5
Guessing Passwords
Hackers faced with an otherwise secure web application with no obvious platform, patch or configuration vulnerabilities; with code that adequately protects against injection and scripting attacks; and with strong account access and lockout controls may get serious about password guessing.
Attackers can circumvent password lockout policies by attempting to log in using just one or a few simple passwords but attempting to do so with many different usernames. This type of guessing attack is often referred to as password spraying. The attackers arm themselves with username password databases and a handful of common passwords that may meet length and complexity requirements but are still easily guessed (e.g., Companyname123, Springtime2021, Passw0rd12345!). The attacker chooses one of these common passwords and attempts to log in with tens of thousands of potential usernames using census data and the enterprise’s username schema. It does not matter that most of these usernames are not valid; the attacker is looking for the handful that the application recognizes as valid. And out of that handful of valid usernames, the hacker is seeking the one that is using that common weak password. If the attacker has no luck with Passw0rd12345! on the first try, the attacker just waits a while (allowing the login-attempt counter to reset), picks another password, such as Springtime2021, and makes another 30,000 to 40,000 login attempts until that combination of valid username and weak password results in success.
Passing or Relaying Password Hashes
The technical details of an attacker’s array of password hash passing and relaying techniques are complex. The Windows NTLM hashing algorithm is susceptible to the notorious pass-the-hash attack, wherein the hash can be passed by a malicious actor who intercepted it and then used by the attacker as if the attacker possessed the cleartext password. Newer network-based Windows authentication algorithms such as Net-NTLM hashes make use of a one-time challenge. However, if message signing is not both enabled and required by every host in the domain, these challenges can be relayed by attackers. Message signing protects the integrity of each packet, and if the packet has been altered, it is dropped by the recipient host. Current relaying attacks often involve more circuitous cross-protocol relays that use not just the file-sharing protocol Server Messaging Block (SMB) but also Lightweight Directory Access Protocol (LDAP), Hypertext Transport Protocol (HTTP), Microsoft Structured Query Language (MS SQL) and any other protocol that supports Windows Net-NTLM authentication. Permitting only Kerberos authentication is one of the best security controls an enterprise can implement, although it can be difficult and time consuming and is not immune to attack itself.
SOCIAL ENGINEERING IS A LOW-TECH WAY TO HARVEST CREDENTIALS, BUT IT IS OFTEN ONE OF THE MOST EFFECTIVE.
Requesting Passwords
Social engineering is a low-tech way to harvest
credentials, but it is often one of the most effective.
Penetration test teams have successfully harvested
more than 10,000 employee username-password
pairs via social engineering in the past 20 years via
a combination of telephone calls, phish emails and
in-person social engineering.
Common phone-based and in-person social engineering attacks involve impersonating technical support personnel, name-dropping a recognizable person of authority, communicating a sense of urgency, and using plenty of technical jargon to confuse users and elicit compliance.
Email-based phishing campaigns have a much broader range of possible topics, but the concepts and techniques remain the same.
Bypassing 2FA Mechanisms
In general, 2FA is a powerful password control that
routinely frustrates hackers. But there are some
common methods that hackers can employ to
bypass 2FA.
The easiest way to defeat 2FA is to social engineer the 2FA passcode. There are several well-documented cases of hackers convincing help-desk personnel to switch the telephone number receiving the one-time passcode. Another social engineering method involves attacking the user directly. An attacker can employ the following script (with a spoofed 800 or local telephone number caller ID): “Hi, I’m calling from your bank’s security department, and there’s been some suspicious activity with your account; but before we go any further, we need you to verify it’s you. Please read me the code you were just sent.” The code was sent by the target’s legitimate financial institution because the fraudster just entered the target’s (stolen, guessed or cracked) username and password. Now the attacker is calling the target to request the MFA one-time code.
AUDITORS ARE OFTEN SURPRISED AT THE NUMBER OF WORD AND EXCEL PASSWORD FILES EMPLOYEES STORE WITHIN THE CORPORATE ENVIRONMENT.
Another low-effort attack technique is to look for configuration oversights that allow authentication that bypasses 2FA altogether. Examples include application programming interfaces (APIs) or clients who do not require 2FA, such as Exchange Web Services and Exchange Modern Authentication, which can provide a non-2FA-protected backdoor login.
More technically advanced methods of defeating 2FA are various bypass and MiTM attacks. A common bypass technique is simply to use the hashed Windows NTLM password hash to access functionality not protected by MFA. In addition, with sufficient access, Kerberos can be abused to impersonate other users within the environment and forge a valid ticket. Outside of a Windows environment, insecure web applications can be abused to bypass application access control lists (ACLs) or forge valid tokens. MiTM attacks that seek to proxy traffic between a poorly patched or poorly protected client (often a mobile client) and the server-side online banking application are becoming increasingly common.
An often-overlooked issue that can lead to vulnerabilities is the concept of fail-open versus fail-secure. Because 2FA systems need a fallback plan, any weaknesses in that plan can be exploited. For instance, what happens if the end user’s phone or fob is lost or stolen? What happens if a personal computer that normally authenticates over the LAN for 2FA has its network cable unplugged during the login process and then plugged back in? What if a body part used for biometric authentication is scarred? If there is a fail-open plan in place that bypasses 2FA in these instances, even temporarily, hackers can use it to their advantage.
There are numerous 2FA-protected user accounts for a wide range of applications and services that simply have not yet been set up. In many penetration tests, the testers find themselves in possession of a stolen username and password pair, expecting a 2FA challenge following a login attempt, only to find that the user has yet to set up 2FA. That is good news for an attacker, who can complete the 2FA setup for the stolen user account with the attacker’s phone number or host substituted as the authenticated device for whatever one-time passcodes or tokens are required.
Practical Password Risk Management Strategies
Although there are numerous ways attacks can defeat authentication and identification controls, there are several effective approaches to frustrating hackers.
For End Users
As previously noted, a typical end user should have
to remember only three passwords. All other
credentials should be long, pseudorandom strings
autogenerated by a password manager and
augmented by 2FA. To protect against attacks,
users’ passphrases must be at least 15 characters,
with ample numerical, capitalization and special
character substitutions (hackers hate the space bar
in a password). Passphrases should not include
common ad slogans, song lyrics, brand names or
literary quotes, as password dictionaries include
many of these common expressions. Passphrases
should not be constructed around the business
name, seasons or other topics that are easily
associated with or related to the user. And all
passwords should be changed regularly to minimize
the amount of time an attacker has unfettered
access to a hacked account.
All password storage should be encrypted at the disk and file levels. For users with many authentication requirements, a universal 2FA hardware authenticator (e.g., Yubikey) can improve password security while enhancing ease of use.
Users also need to be trained not to transmit and store credentials via email, and enterprises should have email data loss prevention (DLP) controls in place to enforce these rules. Once an initial account is compromised, a quick search of email inboxes and sent boxes can lead to the harvesting of additional credentials.
For Administrators and Security Officers
Systems administrators are encouraged to search
fileshares for strings such as “passwords,” “confidential” and “credentials.” Auditors are often
surprised at the number of Word and Excel
password files employees store within the
corporate environment.
To the extent possible, system administrators and security engineers should invest the considerable time and energy necessary to eliminate or properly configure fallback name-resolution protocols (e.g., LLMNR, NetBIOS-NS) and default services (e.g., WPAD, IPv6). These protocols are far too easy to trick into improperly directing traffic and disclosing password hashes. A related technique involves attackers gathering password hashes from vulnerability scanners configured to perform authenticated scans. When the vulnerability scanner queries a compromised or rogue host, that host can harvest or relay the scanner’s password hash. Although it is best for such a service account’s password to be a long string of random characters, the hash can still be relayed without the attacker ever knowing the password itself. The best defense against passing and relaying attacks is to configure all possible Active Directory integrated services to require message signing; however, message signing is not universally available. In addition, disabling NTLM and Net-NTLM authentication and relying exclusively on Kerberos has proved to be highly effective; however, it does involve some implementation challenges.
When it comes to local administrator password management, Windows Local Administrator Password Solution (LAPS) can help avoid the high impact of password reuse.6 Although it would be ideal to create a massive password whitelist, that is impractical with current computing power. Therefore, an incomplete but still powerful tool for system administrators is to prohibit trivial passwords by blacklisting a common password list.7 In addition, periodic password audits of Active Directory password hash files can identify the weakest links in the authentication chain.
Most important, all user privileges, for all accounts and at all times, should be minimized. If a security risk can be considered a combination of likelihood and impact,8 then limiting account privileges is one of the most powerful controls an enterprise has to reduce impact. When the inevitable account compromise occurs (probably via credential exploitation), the damage can be limited in scope.
This applies not only to user accounts but especially to administrative accounts. High-privilege users and administrators should be logged in with high privileges only when it is absolutely necessary. This not only limits the impact of a breach but also insulates the high-privilege user or administrator from suspicion in the event of a crime. All crimes require means and motive, and by definition, high-privilege account holders must be considered persons of interest in any criminal case.
The Future of Identification and Authentication
Soon, all passwords and passphrases will be obsolete. The rapid increase in affordable computing power provided by the cloud is giving criminals more password-cracking resources than ever before. Based on the premise that users will chronically choose weak passwords, strong industry initiatives are in place to support a range of identification and authentication mechanisms. The leading example is the Fast IDentity Online (FIDO) Alliance; this published standard has more than 600 registered application and product vendors. Designed for workstations, servers and mobile devices, FIDO supports a wide array of strong password and 2FA solutions.9
For a glimpse at the future of authentication, note the fascinating work being performed by teams at the University of California–Berkeley (USA), who are harnessing the power of brain waves.10 Considered one-step three-factor authentication (3FA), brain-wave authentication goes beyond something one knows (password) or something one possesses (phone, fob) or even something one is (finger or retinal print). Called “inherence,” 3FA is used in this context to authenticate “who” one is. With this authentication mechanism, an earpiece electroencephalogram (EEG) is used to receive and authenticate against a unique “passthought.”
Employee Buy-In and Leadership by Management
Although the math of strong password management is clear-cut, the art of password management requires some creativity. Convincing users to practice strong password habits is a difficult and thankless task. The most important aspect of organizational password management is user buy-in. The key is getting users to go beyond merely following the rules with regard to password length and complexity and actually embracing the spirit of strong passwords.
TOO MANY BUSINESS LEADERS ACT AS IF STRONG PASSWORDS ARE THE BURDEN OF RANK-AND-FILE EMPLOYEES, BUT NOT THEM.
To begin the process of attaining employee buy-in, communication is paramount. It is necessary to emphasize to employees that management has thought about the problem of password management and created a policy that considers important user issues such as ease of recall, ease of typing and ease of creating multiple generations of passphrases. Emphasize that the enterprise is only as secure as its weakest passphrase, and provide users with a password manager application to facilitate strong credentials. Suggest that employees extend the enterprise’s password policy to their personal lives; remind them that long, complex and securely stored passwords are also important for online banking and 401(k) access.
Most important, lead by example. Too many business leaders act as if strong passwords are the burden of rank-and-file employees, but not them. Based on the results of more than 500 community financial institution IT examinations, the conclusion is that “routinely discussing cybersecurity issues in board and senior management meetings will help the financial institution set the tone from the top and build a security culture.”11 Demonstrate that the entire enterprise is in this together by practicing strong credential creation, transmission and storage habits. Allocate time to discuss passwords with all employees, and set the right tone. Only by demonstrating strong leadership in password management will employees embrace strong credentialing habits.
Endnotes
1 Twitter, “An Update on Our Security Incident,”
18 July 2020, http://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
2 Verizon, 2020 Data Breach Investigations
Report, USA, 2020, http://enterprise.verizon.com/resources/reports/dbir/
3 Microsoft TechNet Blog, “Password Complexity
Versus Password Entropy,” 19 May 2015,
http://blogs.technet.microsoft.com/msftcam/2015/05/19/password-complexity-versus-password-entropy/
4 Security Factory, “Password Cracking Speed,” 8 May 2020, http://www.thesecurityfactory.be/password-cracking-speed/
5 Testa, J. S., II; “Rainbow Crackalack Project
Releases NTLM 9-Character Rainbow Tables!”
Positron Security, 2 April 2020,
http://www.positronsecurity.com/blog/2020-04-02-rainbowcrackalack-project-releases-ntlm-9-character-rainbow-tables/
6 Windows Local Administrator Password
Solution (LAPS), http://www.microsoft.com/en-us/download/details.aspx?id=46899
7 Github, “10-million-password-list-top.txt,”
http://github.com/danielmiessler/SecLists/blob/master/Passwords/Common-Credentials/10-million-password-list-top-100000.txt
8 National Institute of Standards and Technology
(NIST), NIST 800-30 Guide for Conducting Risk
Assessments, USA, 2012, http://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final
9 Fast IDentity Online (FIDO) Alliance,
http://fidoalliance.org/
10 Berkeley School of Information, “Fact or
Science Fiction? Using Your Thoughts to
Enter a Password,” 4 December 2018,
http://www.ischool.berkeley.edu/news/2018/fact-or-science-fiction-using-your-thoughts-enter-password
11 Federal Financial Institution Examination
Council (FFIEC), “Cybersecurity Assessment
General Observations,” http://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_Assessment_Observations.pdf
David Trepp
Has been a technology entrepreneur for more than 30 years. He has led thousands of information security penetration test engagements for satisfied customers across all major industries throughout the United States and abroad. He has given dozens of presentations to audiences nationwide on a variety of information security topics, including to several ISACA® chapters. Prior to becoming a partner at BPM, he was founder and chief executive officer (CEO) of Info@Risk, a leading comprehensive penetration test firm. He has worked in information security with commercial, healthcare, government, financial, utility, law enforcement and nonprofit organizations for more than 20 years.
Joshua Schmidt, CEH, CPT
Is an information security systems specialist and assessor. He provides dual-threat assessments involving penetration testing in both systems/networking and application development. He has worked in information security with governments and educational institutions since 2009.