We can only blame people for so long. After all, we traditionally secure access to the critical resources on our network, whether that is customer information, price lists, salary information, or the secret recipe to our best selling product, by requiring users to log on with a username and a password. Usernames allow us to grant authorizations and track activity, and passwords authenticate the username, theoretically providing assurance that the owner is the person using the credential. Over the years, humans have demonstrated their poor ability to create and use strong passwords. We try to teach them about strong passwords, give them examples, set policies to require strong passwords, and yet we still get users with passwords like P@ssword.
Our challenge is to find weak passwords on our systems BEFORE the bad guys do so you can help that specific user with a little extra training focusing on creating and using good passwords. But how can you go about this, without locking out your entire user base with a brute force attack?
- Start with policy. Bad passwords start with bad password policies. Vulnerability scanners and other types of policy checks via configuration managers are a critical asset when looking for bad policies.
- Find and fix weak passwords. The Microsoft Baseline Security Analyzer is a free tool from Microsoft that can identify accounts on your systems with weak passwords. It won’t tell you what those passwords are, but it can flag any that are weak. For Unix, you will probably need to run an offline password cracking tool against your user list with a dictionary of weak passwords.
- Crack your password database. To really assess whether or not your users are implementing good passwords, you are going to have to crack them (or at least attempt to do so). Any password cracking should be done using an offline tool to prevent users from being locked out. The SecTools.Org Top 125 Network Security Tools has some options for offline password cracking.
If you are going to do a full assessment of your users’ passwords, here are some guidelines:
- Make sure your management is fully aware and you have written authorization to perform this “attack”.
- Your account lockout policy is designed to prevent anyone from performing a brute force attack against your accounts, and your physical security is designed to keep anyone from booting a domain controller from a CD to snag the security database.
- Accounts that fall to simple dictionary attacks should be addressed immediately.
- Accounts that fall to hybrid attacks also need attention, but as a second priority.
- Those left are probably as good as you can expect any user to have, so don’t waste weeks trying to crack those.
If you are a small company and have this kind of talent on staff (or feel comfortable contracting for it), this process can be a pretty useful exercise with tangible results. But what if we took the password part out of the picture entirely? If passwords are inherently weak yet in many cases still a necessary component to our operations, what else could we do to remove the risk associated with passwords? Check back on Friday for some thoughts around mitigating the risks to passwords.
Contributor: Emmanuel Carabott from GFI Software Ltd.
Possibly Related Posts:
- Let’s Encrypt for non-webservers
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC