The value of passwords and how to strengthen your access control

The value of passwords
Stealing personal information such as usernames and passwords, bank account details and credit card numbers is incredibly profitable for criminals. They can send fraudulent emails from your account, make fraudulent purchases from your credit card, use your identity to take out loans and open new accounts and go on to launch other attacks against you. Criminals also profit from disrupting or re-routing websites, illegally tracking users and selling stolen credentials to other criminals. With the rise of online accounts, criminals have realised that they need to get hold of passwords to gain access to accounts and they have become very proficient at password harvesting.
The master plan for many cyber criminals is to discover as many passwords as they can in the shortest amount of time and then use computers to try matching passwords and user names on as many accounts as they can at the same time. According to Breach Alarm, 1 million passwords are stolen every week.

How can you make your password resilient to cyber attacks? How much does the length and complexity of your password matter? Let’s start by looking at how attackers get your passwords.

How attackers get your passwords

• Credential stuffing 

  An attacker simply goes onto the dark web and purchases a list of credentials that have been gathered from breached sites. They then use the stolen user name-password combinations to try accounts across multiple sites hoping for a match. Automated ‘List cleaning’ tools to facilitate these high volume attacks are readily available.

  This extremely simple and common method of account burglary is facilitated by the fact that a great deal of people re-use the same passwords (66% of users admit reusing passwords), and many organisations allow their staff to access accounts using only a password.

  Does the password matter? No, the attacker has the exact password. 

  How to avoid: If you are alerted to the fact that an account you use has been breached, change your password immediately. Never use the same password for more than one account. Use multi-factor authentication on every account that is accessible from the internet. Your company password policy should reflect these good practices.

• Phishing / man in the middle /credential interception
  An attacker will send out fraudulent emails to vast numbers of people at the same time. The emails pretend to be from a trusted source and entices the user with a promise or a threat to click on a link which will take them to a phoney website to sign into what they think is their account. As they enter their username and password, the credentials are captured by the attacker using easily accessible tools. This kind of attack is very common and very easy. These attacks are facilitated by the human traits of employees. These include curiosity, stress, gullibility or lack of training and awareness.

   

  Does the password matter? No, the user gives the password to the attacker.

  How to avoid: Change your password if you suspect that one of your accounts has been breached or that you have inadvertently given away your password. Never check emails or browse the web while logged into an administrator account and avoid re-using passwords on more than one account. 

• Keystroke logging / malware sniffing
  The attacker will instigate the installation of malware onto the victim’s computer, usually by tricking them to click on a link while logged in on an administrator account. The malware will then record and transmit all of the keystrokes which will include usernames and passwords entered, but usually everything else too. The attacker will need to be able to trawl through this data to dig out what is valuable to them.
  This attack is not as common as the other two and requires some skill.

  Does the password matter? No, the malware intercepts exactly what is typed.

  How to avoid: install and regularly update antivirus software which will detect and disable malware from entering your network. The malware protection software will automatically scan files for malware before allowing them to download as well as encrypting your keystrokes to ensure cybercriminals and keylogger software cannot capture your logins and passwords. It will also block malicious or compromised sites, including phishing sites.
  Use separate administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks). If you accidentally click on a link while using a user account, the malware will not be able to download without the administrator password which will alert you to the threat.

   

• Local discovery / dumpster diving 
  An attacker will search a person’s office or journal for written passwords.
  This kind of attack, although certainly a risk, can only be done with a relatively small amount of people at a time, so is not carried out in the kind of numbers that the other attacks see.
  These attacks are facilitated by people writing their passwords down.

  Does the password matter? No, the exact password is discovered.

  How to avoid: Avoid writing passwords down in desktop notebooks or posting them up clearly in the office. If you write down your passwords, keep them discreetly locked away or stored on a password manager.

• Password spray
  Attackers can easily acquire lists of the most common passwords and will attempt to try a small number of them at a time over a very large number of usernames. These attacks are surprisingly successful as given the large set of users, it is likely that quite a number are still using passwords such as qwerty1234, password1, and summer2020.The thing about password spray is that it is detectable, and once detected the login server can shut it down. The faster the criminal guesses, the faster they are detected, so they need to work slowly. Attackers know they need to maximize their impact before they are detected, so they tend to use about 10 of the most common passwords gleaned from existing leaks, they distribute the guessing across many website addresses and regulate the speed using cheap and readily available tools.
  This is a very easy and very common attack. Microsoft estimates that more than a third of account compromises are password spraying attacks. Hundreds of thousands of password can be broken every day and millions of accounts are probed daily.
  If your password is not on the exact list your attacker is trying, then you will not be breached in the attack. Here is an example of a password spray list.
  1. 123456
  2. password
  3. 000000
  4. 1qaz2wsx
  5. a123456

  Attacks are facilitated by account holders using common, easily memorable passwords.

  Does the password matter? No, unless it is in the handful of top passwords that attackers are trying.

  How to avoid: Make sure that users have clear guidance to creating good passwords. One of three options to secure passwords for Cyber Essentials, is to use passwords with a minimum length of 8 characters and no maximum length, in conjunction with an *automatic deny list enabled to block the most common passwords.

  *An automatic deny list will block users from using passwords that are on a pre-configured list of common passwords that have been breached. Organisations can create a deny list from a file of the 100,000 most commonly breached passwords compiled by the NCSC.

   

• Brute force / cracking /exhaustive key search
  Brute force attacks use trial and error to guess passwords and encryption keys. They use computers to target a login page where they try many different combinations of characters until the correct combination is found to crack the password or encryption key. Depending on the length and complexity of the password, cracking it can take anywhere from a few seconds to many years. Typical brute force attacks can make a few hundred guesses every second which means that simple passwords, (all lower-case letters) can be cracked in seconds. Modern computers, however, have advanced in power and capability to the point where a supercomputer could make up to a trillion guesses per second and an eight-character alphanumeric password could be cracked in two hours. Many cyber attackers can decrypt a weak encryption hash in months by using an exhaustive key search brute force attack. For this reason, it is recommended that accounts that do not also have MFA enabled, are protected by passwords of 12 characters in length or more.
  A brute force attack is very common and can range in difficulty depending on the cyber security controls that an organisation has in place.

  Does the password matter? No not if your password is less than 8 characters long.

   It will make a difference if you are using a long password (such as one created by a password manager) or three random words.

  How to avoid: In your company password policy, give guidance on how to create a strong password using three random words or how to use a random generated password from a password manager. Ensure that passwords are 12 characters or more in length, or 8 characters or more in length with either MFA enabled or an automatic deny list of the most common passwords enabled.

Summary

When it comes to cyber attacks, the only attacks where your password has any bearing on the breach is in a password spray or brute force attack.
The following simple controls will help protect you against these threats.

Have a clear password policy that applies to everyone in your organisation including contractors.
This should include:

• How to create good passwords using three random words or a random generated password created by a password manager. (Your password policy will specify which one and how to use it).
• Accounts protected by a password alone need to ensure that the password has at least 12 characters (with no maximum length).
• If an account has the additional protection of MFA, the password needs to be at least 8 characters long with no maximum length.
• Accounts that do not have MFA enabled, need to also use a deny list to automatically block users from picking the most common passwords, (which are likely to appear on the list for a password spray attack).
• There needs to be an established process to change passwords promptly if a user knows or suspects the password or account has been compromised.
• Enable MFA on all administrator accounts and all accounts (user and administrator) that are accessible from the internet (cloud services)

Multi-factor authentication (MFA) requires the user to have one or more types of credentials in addition to a password, before being able to access an account.
Businesses have a choice of several different methods that they can use for multi-factor authentication.

• A trusted device: MFA techniques that use a trusted device can rely on the knowledge that a user possesses a specific device (e.g a company computer) to prove they are who they say they are. Organisations can configure cloud services to only accept authentication attempts from within their trusted enterprise networks. This ensures that users can only authenticate if they are either directly connected to that trusted network or have remote access to it over a virtual private network (VPN). In addition, or as an alternative to using a VPN, remote workers would be able to access online services only on trusted devices that are managed by the organisation.
• An application: An authenticator app generates a single-use password that changes every minute. Alternatively, an app can receive push notifications that prompts the user to confirm or deny that they are currently trying to log in to a named service.
• A physically separate token: These techniques use the knowledge that a user has a physical security token, which proves they are who they say they are. Some types will require the user to unlock them before use, others just require proof of possession.

Examples of physically separate tokens are FIDOuniversal2nd factor authenticators such as YubiKey, Smartcards that are unlocked by a PIN code, and devices such as RSA tokens and chip-and-PIN card readers which generate a single-use code each time a user logs in.

• A known trusted account: These techniques send codes to a registered email address or phone number.

The service sends an SMS message containing a single-use code or makes a voice call in which a single-use code is read out to the phone number registered for that user. An SMS message is not the most secure type of MFA, but still offers a huge advantage over not using any MFA. Alternatively the service will email a single-use code to an address registered for that user. A code for the user to type in is preferrable to a clickable link, as it is difficult for a user to distinguish between a legitimate email and a phishing email.

Turn on multi- factor authentication.
Whether an attacker acquires your password via a phishing attack, stolen credentials from another breach or manages to crack it using a brute force attack, if you have MFA enabled, this will be your safeguard. As soon as the account asks for the MFA, the attacker will be thwarted and unable to access. It makes sense to turn on MFA for as many accounts as you can where available.
Based on studies conducted by Microsoft, your account is more than 99.9% less likely to be compromised if you use MFA.