Mitigating Password Threats
Posted June 03, 2015
Passwords are often protecting valuable data and therefore, a common theft target for hackers and thieves. While no method of password threat mitigation is 100 percent effective, it’s important to understand the threats and specific ways to address them so you can protect your company and its assets.
Types of Password Threats
There are four types of threats hackers can use to access user passwords: capturing, guessing and cracking, replacing and using compromised passwords.
- Password Capturing
Password capturing is an attacker acquiring a password from storage, transmission or user knowledge and behavior. To be used for authentication, OS and application passwords are stored on hosts. If the stored passwords are not secured properly, attackers with physical access to a host may be able to gain access to the passwords. Passwords should not be stored without additional security controls to protect them. Security controls may include:
- Encrypting files that contain passwords. This may be done by the operating system, an application or a specialized utility such as password management software that is specifically designed to protect the confidentiality of passwords.
- Using OS access control features to restrict access to files that contain passwords. For example, a host could be configured to permit only administrators and certain processes running with administrator- level privileges to access a password file, thus preventing users and user-level processes from accessing passwords.
- Storing one-way cryptographic hashes for passwords instead of storing the passwords themselves. The use of such hashes allows the authentication system to verify during authentication attempts that the correct password has been entered without storing the actual password. An attacker that gains access to hashes cannot determine the corresponding passwords directly from the hashes and must use cracking techniques to attempt to recover the passwords.
Organizations should carefully consider how well passwords and password hashes stored by applications are protected. For example, Web browsers, email clients and other applications can store passwords on behalf of users, but it is often not apparent how well-secured these passwords are. Also, in most cases these applications automatically fill in passwords as needed without verifying the user’s identity, which permits an attacker who can gain access to such a computer to use the passwords immediately. Organizations should decide which types of applications, if any, should be permitted to store passwords and password hashes based on a consideration of the risks of doing so versus the convenience provided to users. Organizations should have requirements in their password policies regarding which types of applications may store passwords and hashes, as well as how those stored passwords and hashes should be protected.
In addition to storing passwords on the host, users and administrators may also keep passwords on paper so that they do not have to remember them. Such papers should be physically secured, such as stored in a locked file cabinet, safe or office to prevent the passwords from being acquired by a malicious party with physical access to the workspace. Also, papers containing passwords should be discarded properly, such as shredding them instead of throwing them in a trash can or recycling bin.
Password entry can also be monitored by attackers through technical means. For example, a keystroke logger, also known as a keylogger, is a form of malware that monitors the keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker. An attacker can use a keystroke logger to acquire the usernames and passwords typed into the infected computer. Many Trojan horses and some other forms of malware can also monitor user activity to gather usernames, passwords and other sensitive pieces of information for attackers. These sorts of threats can be mitigated by securing users’ hosts effectively, including applying patches regularly, using antimalware software (e.g., antivirus software, antispyware software) and having the user run with user-level privileges, not administrator-level privileges, for daily tasks. Another possible mitigation technique is to avoid typing passwords, with ways such as retrieving them from secure storage or using onscreen simulated keyboards to enter them. Users should also be cautioned against downloading and executing files from unknown sources. Users should be warned not to enter passwords into publicly accessible computers, such as kiosk computers at conferences and hotels, because of the high risk of the passwords being compromised.
Users may also reveal their passwords to attackers because of social engineering. For example, an attacker could pretend to be a help desk agent, call a user and ask the user to provide a password to assist the agent in troubleshooting a problem. Social engineering can take many forms, some of which involve technical methods, such as phishing emails that direct users to a malicious website that mimics a legitimate site. The goal behind many phishing attacks is to collect usernames, passwords and other sensitive information from users. Mitigation of social engineering threats primarily involves user awareness of such threats and how they should be handled, although some technical controls are also available (for example, many Web browsers offer anti-phishing capabilities). Social engineering may also target help desk agents, system administrators, and other IT staff with access to privileged accounts, so organizations should ensure that they are aware of how to recognize such attacks and how to respond when an attack is suspected.
- Password Guessing and Cracking
Attackers attempt to determine weak passwords and to recover passwords from password hashes through two types of techniques: guessing and cracking. Guessing involves repeatedly attempting to authenticate using default passwords, dictionary words and other possible passwords. Cracking is the process of an attacker recovering cryptographic password hashes and using various analysis methods to attempt to identify a character string that will produce one of these hashes, thereby being the equivalent of the password to the targeted system. Guessing can be attempted by any attacker that can access the authentication interface, whereas cracking can only be attempted by an attacker who has already gained access to password hashes.
There are several forms of guessing. In a brute force attack, the attacker attempts to guess the password using all possible combinations of characters from a given character set and for passwords up to a given length. This method is likely to take an extensive amount of time if there are many combinations to be tested. In a dictionary attack, the attacker attempts to guess the password using a list of possible passwords. The list may contain numbers, letters and symbols, but is not an exhaustive list of all possible passwords or combinations that could create a password. In a hybrid attack, the attacker uses a dictionary that contains possible passwords and then uses variations through brute force methods of the original passwords in the dictionary to create new potential passwords. Since the attacker is adding characters—and in some cases replacing characters based on a rule set—in a controlled manner, the attack is more exhaustive than a dictionary attack but takes less time than a brute force attack. Another form of guessing attack is searching the victim’s information for possible password content, such as family member names or birthdates.
Guessing attacks can be mitigated rather easily by using a combination of two methods. First, ensure that passwords are sufficiently complex so that attackers cannot readily guess them. It is particularly important to change all default OS and application passwords; lists of default accounts and passwords are widely available to attackers. Organizations should also ensure that other trivial passwords cannot be set, such as the username or person’s name, “password”, the organization’s name, simple keyboard patterns (e.g., “qwerty”, “1234!@#$”), dates (e.g., “03011970”), dictionary words and names of people and places. Most password mechanisms have the ability to prevent the use of such passwords.
The second method recommended for mitigating guessing attacks is to configure OS and application password authentication mechanisms to limit the frequency of authentication attempts. Examples of how this can be accomplished include the following:
- Lock out a user account after a number of consecutive failed authentication attempts (often performed within a particular time period, such as the past hour). For example, after a user has failed to provide the correct password 10 times in a row, ignore all additional authentication attempts to access the user account for 15 minutes. Locking out an account after only a few failed attempts has a significant impact on legitimate users and tends to cause them to choose simpler passwords or store their passwords insecurely, thus weakening security.
- Have a fixed or exponentially increasing delay after each failed authentication attempt. After the first failure, for example, there could be a five-second delay; after the second failure, a 10-second delay; after the third failure, a 20-second delay, and so on.
Cracking involves attempting to discover a character string that will produce the same encrypted hash as the target password. The discovered string may be the actual password or another password that happens to produce the same hash. If the hash algorithm is weak, cracking may be much easier. Hash functions should be one-way, otherwise attackers that can access hashes may be able to identify passwords from them and successfully authenticate. Another example of a hash algorithm weakness is that some algorithms do not use salting. Salting is the inclusion of a random value in the password hashing process that greatly decreases the likelihood of identical passwords returning the same hash. If two users choose the same password, salting can make it highly unlikely that their hashes are the same. All forms of cracking can be mitigated by making passwords strong, using one-way password hash algorithms, and protecting the confidentiality of password hashes. Changing passwords periodically also slightly reduces the risk posed by cracking.
- Password Replacing
An attacker can successfully authenticate to an account by replacing the account’s existing password with another password that is known by the attacker. The attacker does not necessarily need to know the original password to accomplish this—for example, the attacker could intercept a user’s legitimate attempt to reset a password.
When a user forgets a password, generally there are two options: regain access to the old password—password recovery—or set a new password—a password reset. Password resets are also performed when a new account is created, to set an initial password. There are many ways in which password recovery and resets can be conducted, ranging from an in-person visit with an IT staff member to a fully automated self-service utility. If the identity of the user requesting a password recovery or reset is not properly verified, an attacker could easily pose as a user and gain access to that user’s password, so all recovery and reset mechanisms should first verify the user’s identity. Examples of verification methods include basic knowledge-based verification (e.g., employee ID number, badge number, date of birth); predetermined challenge response questions set during account creation (e.g., color of first car, favorite pet’s name); calling a user back on an office phone; and requiring a face-to-face visit from the user to provide photo identification.
Each verification method has advantages and disadvantages that should be evaluated before use. Privacy concerns should be carefully evaluated; for example, information such as Social Security numbers and mother’s maiden name should not be used for identity verification. User verification should not include data or question answers that can be easily obtained or guessed by an attacker, such as an employee ID number available from a company directory. For each password recovery or reset mechanism, the thoroughness of the user verification can be tailored to the account’s relative security needs—for example, organizations might want to require a rigorous, out-of-band verification method for the highest-security passwords and use less rigorous methods for other cases. When selecting verification methods, organizations should consider the relative risk of each method as opposed to its cost and convenience. Organizations should also identify and address any requirements to perform password recovery and resets for people who are not physically located in the organization’s main facilities, including users who telecommute or are traveling.
- Using Compromised Passwords
If an attacker has compromised a password through guessing, cracking or capture, the attacker will be able to use that password until it is changed by the user. To reduce the potential impact of such unauthorized password use, many organizations have implemented password expiration mechanisms that force a user to select a new password after a certain number of days. Although this is beneficial for reducing the impact of some password compromises, it is ineffective for others—for example, when the attacker can compromise the new password through the same method as the old password (such as a keylogger running on the user’s computer) or when the attacker has a way of maintaining access to the target without the password, such as setting up a backdoor on the target. Password expiration is also often a source of frustration to users, who are often required to create and remember new passwords every month or two for dozens of user accounts.
Organizations should decide whether to use password expiration mechanisms and what expiration period to set based on balancing security needs and usability. For example, if the organization provides secure storage for user passwords, so that users do not have to remember passwords, then password expiration will be less frustrating to users. If there are significant threats involving unauthorized access to password hashes, then it may be necessary to set the expiration period to be less than the amount of time required to crack the passwords from the hashes. Another consideration is the frequency of authentication—if an application is accessed only a few times a year by employees and password expiration is enforced, then the passwords will be expired every time the users attempt to authenticate. Other factors for organizations to consider in selecting password expiration requirements include the strength of password storage and transmission algorithms and the system security requirements. Organizations should consider having different policies for password expiration for different types of systems, OSs and applications, to reflect their varying security needs and usability requirements.
If Passwords Are Compromised
If an organization believes that a password management system or other source of passwords has been compromised, the organization should act swiftly to mitigate the weaknesses that allowed the compromise, restore the compromised system to a secure state and require all users to change their passwords immediately. Implementing the enterprise password change will require careful planning and coordination. Procedures should be in place to notify all affected users. This notification should only inform the users of the situation and notify them that their passwords have been reset or need to be changed immediately. Users should be instructed to change their password as they normally would and contact the help desk if they need assistance. If users are allowed to change their passwords, a procedure should be in place to force the change and verify that changes have been made. If passwords are reset to assigned passwords, then there should be procedures in place to communicate the assigned passwords to the users in a secure manner. If the procedures that are in place cause a greatly increased workload on help desk staff, there should be resources available to augment help desk staff to ensure they can effectively handle the password resets.
Source: National Institute of Standards and Technology
This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice.