Password Auditing Explained
Why Audit?
Harriet Beecher Stowe is credited with the quote "Human nature is above all things lazy" - while I prefer to think of myself as 'efficient' rather than lazy I think the principle is sound. When faced with the choice of executing a task in a difficult or simple way (with no difference in the outcome) then people will naturally choose the simple way. This leaves more physical and mental resources available for the truly challenging things in life.
What should you learn next?
The same is true for most users when selecting a password; the perception to the user is the complexity of the password doesn't matter, but the process of changing a password is time-consuming or cumbersome. With those two facts the user is going to opt to use a password that they are confident they can remember when needed.
To 'fight' human nature and to help ensure our users implement complex passwords we enforce password complexity. This (we believe) ensures that our users will start using passwords that are hard to crack.
But what we forget is the difference between brute forcing passwords and easily guessable passwords. In Flavio's presentation about the exponential nature of password cracking costs he showed that, from a brute force point of view, each increase in the length of the password and the number of possible characters significantly increased the time it would take to grind through all the possible password combinations.
But that is simply talking about brute forcing; there are two things to remember about bruteforcing:
- It is dumb, you are just trying all of the possible combinations until you find a hit
- Assuming you know all the characters used and the password length (or the range of lengths that the user could have used) you will eventually discover the password
So, eventually a brute force attack will work; though eventually can be a very long time. Jason Fossen via SANS has a great spreadsheet that shows the calculations of how long it will take a set of 100 computers each cracking 200,000,000 passwords per second (for a combined rate of 20,000,000,000 passwords attempted per second). Assuming the password requirements is for a password to have at least one of each of the following:
- Lowercase letter [abcdefghijklmnopqrstuvwxyz]
- Uppercase letter [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
- Number [0123456789]
- Character [!@#$%^&*()_+{}|:"<>?~`-=[];',./]
Giving a pool of 93 possible characters; if we assume the minimum password length is 12 characters then it will take approx 2,422,432 days (~6,636 years) to try every possible combination (though you would have to be a pretty unlucky attacker if the last password combination your great (great, great, great etc) grandchild tried was the one that worked. The average time to crack should be half, which reduces it to 1,211,216 days or ~3,318 years. which clearly means the account or the data is most likely useless/non-existent by the time you crack it. If the password fails to crack quickly most attackers will reallocate their password cracking resources to another password. As a result most security professionals are not concerned about a password being cracked that far in the future.
But brute forcing assumes the users are doing completely random combinations; and my premise is that they will not. As a security professional I am less concerned about a password being brute force-able but I am worried about the password being guessable. By guessable I don't mean plucking it out of the air but based on a dictionary word with some basic changes.
What kinds of changes? Well, if there is a password length then take a dictionary word and add numbers at the end or beginning to make it the right length. If you need a special character then try one of the characters above the number keys [!@#$%^&*()] as they are the most common and put it at the beginning or end of the word (as those characters require two fingers to press so are easiest to do first or last). Do common letter -> number substitutions (replace a's with 4's, e's with 3's etc).
Let's say that our user has a password of password3 (yes, you guessed it, it is the fourth time they have changed their password) - but then a new security admin starts and emails everyone saying that at the next password change a password complexity policy will be enforced. The new rules are the same as the above (The password must contain at least one: lowercase letter, uppercase letter, number, character and be at least 12 characters long). Damn those security people, don't they know that folks are trying to get shi...work done! So at the next password reset the user has a think and comes up with the following password:
!Password123
This meets all the requirements, has the right characters and is the right length - but for someone doing more intelligent password guessing (vs dumb bruteforcing) this is going to be on their guess list. So the password meets the complexity requirements but is not complex to guess.
The security guy overhears the worker bragging in the cafeteria that he has 'beaten' the password requirements, and updates the policy. The passwords can no longer contain a dictionary word... so the next time the user has to change his password he switches it to:
!P4ssOrd123
Again, it meets the password requirements but is still guessable.
How do you Audit?
How do you protect against this? As an administrator what are the steps you can take to ensure the passwords being used by your employees are not easily guessable? Through regular password audits. This process is already taking place within some government organizations; at regular intervals they attempt to 'guess' their users passwords using a strong word list and notify those users whose passwords are to easily guessable.
With the release of Impact v2013 R1 we automated this process for our users; in a nutshell the process is as follows:
- Extract the hashes for the accounts you want to export using Impact
- Pass the hashes to CORE CloudCypher
- CloudCypher will tell you if the passwords are crackable or not
[youtube id="Y4Ht3EgMZ0c" width="600" height="350"]
If they are, you can notify the users that their passwords are not strong enough and request they change their password. This could be done across all of your user base or in samples (get the hashes for every user who changed their password in the last week, for example).
Alex Horan – Impact Product Manager
To comment on this post, please CLICK HERE
In this Series
- Password Auditing Explained
- Free Valentine's Day cybersecurity cards: Keep your love secure!
- How to design effective cybersecurity policies
- What is attack surface management and how it makes the enterprise more secure
- Is a cybersecurity boot camp worth it?
- The aftermath: An analysis of recent security breaches
- Understanding cybersecurity breaches: Types, common causes and potential risks
- Breaking the Silo: Integrating Email Security with XDR
- What is Security Service Edge (SSE)?
- Cybersecurity in Biden’s era
- Password security: Using Active Directory password policy
- Inside a DDoS attack against a bank: What happened and how it was stopped
- Inside Capital One’s game-changing breach: What happened and key lessons
- A DevSecOps process for ransomware prevention
- What is Digital Risk Protection (DRP)?
- How to choose and harden your VPN: Best practices from NSA & CISA
- Will immersive technology evolve or solve cybercrime?
- Twitch and YouTube abuse: How to stop online harassment
- Can your personality indicate how you’ll react to a cyberthreat?
- The 5 biggest cryptocurrency heists of all time
- Pay GDPR? No thanks, we’d rather pay cybercriminals
- Customer data protection: A comprehensive cybersecurity guide for companies
- Online certification opportunities: 4 vendors who offer online certification exams [updated 2021]
- FLoC delayed: what does this mean for security and privacy?
- Stolen company credentials used within hours, study says
- Don’t use CAPTCHA? Here are 9 CAPTCHA alternatives
- 10 ways to build a cybersecurity team that sticks
- Verizon DBIR 2021 summary: 7 things you should know
- 2021 cybersecurity executive order: Everything you need to know
- Kali Linux: Top 5 tools for stress testing
- Android security: 7 tips and tricks to secure you and your workforce [updated 2021]
- Mobile emulator farms: What are they and how they work
- 3 tracking technologies and their impact on privacy
- In-game currency & money laundering schemes: Fortnite, World of Warcraft & more
- Quantitative risk analysis [updated 2021]
- Understanding DNS sinkholes - A weapon against malware [updated 2021]
- Python for network penetration testing: An overview
- Python for exploit development: Common vulnerabilities and exploits
- Python for exploit development: All about buffer overflows
- Python language basics: understanding exception handling
- Python for pentesting: Programming, exploits and attacks
- Increasing security by hardening the CI/CD build infrastructure
- Pros and cons of public vs internal container image repositories
- CI/CD container security considerations
- Vulnerability scanning inside and outside the container
- How Docker primitives secure container environments
- Top 4 Zapier security risks
- Common container misconfigurations and how to prevent them
- Building container images using Dockerfile best practices
- Securing containers using Docker isolation
- Introduction to container security
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
General security
Free Valentine's Day cybersecurity cards: Keep your love secure!
General security
General security