Weak passwords are as dangerous as leaving the front door of your house wide open for criminals to walk right in. In fact, weak passwords are a common cause of the initial breach of organizations’ networks. Even if an organization has unlimited funding available to spend on technology and the infrastructure is locked down with firewalls, intrusion prevention software, security information and event management tools, etc., if hackers can deploy simple password spraying techniques to gain access, they can and will.
Passwords should be considered your first line of defense when protecting sensitive information and systems. In order to help ensure users are implementing secure and complex passwords, many organizational policies require users to select passwords that meet a particular set of requirements. For example, there might be a requirement to use a minimum of eight characters, and contain at least one upper case or lower case number, one number, or even one special character. Even with somewhat restrictive requirements, users will typically choose a password that is easy to type and easy to remember.
Unfortunately, if the selected passwords are based on common dictionary terms and are easy to remember for users, it means they are most likely easy to guess as well. Users may think they are being clever by modifying common words, for example, P@ssword, but unfortunately, this simple use of a special character is now included in most lists used to crack passwords. Hackers will deploy various types of brute force attacks, including attempting access with known usernames and passwords from previous attacks, using lists of dictionary words, lists of commonly used passwords, etc.
Users also often find the process of changing a password cumbersome and time-consuming, so they will only slightly alter the password each time a change is required. For example, a user with the initial password “College2023” will simply update to the new password “College2023.” Criminals also understand this technique and will use common words or phrases (e.g. Summer2023, CowboysFan2, Password5, etc.) in their attacks. Following mass breaches in which login IDs and passwords are compromised, those lists of information will often become publicly available. Hackers will attempt to access other applications using the compromised credentials, and If users have re-used passwords across systems or reset accounts to a similar password, there is a good chance, their accounts in the new systems will also be compromised.
Having periodic password audits performed can help your organization test for and uncover weak passwords, and allow you to educate users on how to select better passwords. A password audit will provide you with a list of user accounts using weak passwords, so you can correct the behavior before attackers have the opportunity to exploit that potential weakness.
Following a comprehensive audit, once you have identified accounts with weak passwords, you can:
- Send users a friendly email informing them that a recent password audit detected that they have a weak password and direct them to update their password to a stronger one. The message should educate users on the risks of using a weak password and teach them how to develop a strong password. Avoid reprimanding employees that have had a password cracked, but rather reward those that have improved their password skills, in order to help build your culture of security awareness over time.
- Change the passwords for the users with weak passwords and send them an email containing the new temporary password. This email will require them to change their password to something personal when they login and would explain tips for selecting a stronger password. Make sure you are not making the same mistake with your temporary passwords and sending passwords like Password123, as this just reinforces the use of weak passwords to the employees receiving them.
A password audit helps to not only identify what types of passwords your users are selecting, it can also help you identify if there are possible issues with your password policy.
To help users remember more complex passwords, you may want to provide or recommend the use of a password manager tool. Password management software helps users encrypt, store, and manage the various passwords that are used for multiple accounts and applications. As a recommended best practice, users should employ unique passwords for each site in order to help minimize the impact of a breach of one system. However, managing so many separate passwords is difficult, so users fall back to bad habits and reuse passwords, or write passwords down on sticky notes. A password manager tool will securely store unique passwords so the user isn’t reliant on his/her memory.
To learn more about performing password audits within your organization, please reach out to us.
Additional guidance from our RedLens InfoSec team below:
[Wheeler]: I have had conversations with people recently, where I was asked about zero-days, exploits, and attack frameworks, because it is a common belief that THAT is how penetration testers and attackers gain access to systems. While that is true, it is only true a small portion of the time. Over the past few years, our team has been wildly successful in taking advantage of weak passwords during penetration tests. Why not take the path of least resistance? Many times, we only need to get access to one account, which will lead to greater access within the environment. If you are using a password like ‘Summer2023’, at least make attackers work harder for your password. Complex is great (read: password managers with password generators are awesome!), but it doesn’t even have to be hard for you to remember. We wouldn’t guess something like ‘DuringTheSummerOf2019,WeWentToItaly’.