There is very often only a password standing between a thief and your company’s most valuable assets such as data, systems and networks. Passwords serve a simple purpose; to verify users of operating systems (OS), email and remote access. They can also guard sensitive information like compressed files, cryptographic keys (a string of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa) and encrypted hard drives.
The easiest way for a hacker to gain access to valuable data is to obtain the respective password by whatever means necessary. As password protection is not always 100% effective, it is important to understand and mitigate threats to password security to protect your company and its assets.
The top 4 password threats
The best form of attack is defence; it pays to anticipate possible security threats. There are four main ways that attackers attempt to obtain passwords: capturing passwords, guessing or cracking passwords, replacing passwords and using compromised passwords.
1. Password Capturing
Passwords can be captured through password storage, transmission or user knowledge and behaviour. Applications and OS passwords are stored on network hosts (a computer connected to a network) and used for identification. If the stored passwords are not secured properly an attacker with physical access to a network host may be able to gain access. Passwords should always be stored with additional security controls in place, such as:
- Encrypting all files that contain passwords
- Restricting access to files that contain passwords using OS access control features
- Storing one-way cryptographic ‘hashes’ for passwords instead of storing the passwords themselves
Hashes are the end result of putting data, such as passwords, through an algorithm that changes the original information into a different form. For example, the password ‘default’ could be mapped as a number such as 15. Only the network host knows that 15 stands for the password ‘default’.
By using hashes it allows computers to authenticate a user’s password without storing the actual password.
However, an element of risk remains, as when users enter a password into a computer, the password or hash is often transmitted between hosts over the network to authenticate that user. This transmission action is vulnerable to attack. You can reduce this risk by encrypting your passwords or the transmissions containing the passwords.
Other risks include types of malware, for example, keylogger and Trojan horses observe user activity, such as which keys a user presses, to discover his or her username and passwords. Be sure to install antimalware and antivirus software to help lessen these risks.
2. Password guessing and cracking
Attackers can often discover weak passwords through guessing, and recover passwords from password hashes through cracking.
Guessing is simple: An attacker attempts to uncover a password by repeatedly guessing default passwords. These could be standard words and other possible passwords such as family members names, birth dates etc. Especially if they are able to access your social media accounts, finding out these details is even easier. Strong passwords are necessary for cyber security. Never choose a password that someone could easily guess, and make sure to reasonably limit the number of authentication attempts to prevent unlimited guessing.
Cracking is more complicated. An attacker gains access to password hashes, attempting to discover a character string that will produce the same encrypted hash as the password. If the hash algorithm is weak, cracking is much easier. Hash functions should be one-way, meaning passwords only go from original to encrypted, not vice versa. Hash functions make it nearly impossible to obtain the original text from the character string. Similarly to guessing, cracking can also be prevented by choosing strong passwords and changing them regularly.
3. Password replacing
When people forget their password they have 2 options: reset the password and change it, or recover the original password. If a user’s identity is not properly verified through a reset or recovery request, an attacker could easily pose as the user. Subsequently gaining unauthorised access to the system, application or data and provide a password that only they know. This then replaces the user’s original password, blocking the user from the system.
Any attempt to reset or recover a password should start with a rigorous verification process. Rather than using obvious information, such as birth dates for verification try and opt for personal or subjective information that only you know and cannot be found anywhere else online.
4. Compromised passwords
When an attacker compromises a password through any of the previously mentioned methods, that attacker will have unauthorised access until the user changes his or her password. Because of this, many organisations use automatic password expiry measures to ensure no password remains valid indefinitely.
Yet password expiry is ineffective if the root cause of a compromised password is not fixed. For example, if an attacker uses cracking to obtain a password, automatic password expiry will not solve the security problem because the attacker can simply use the same process again. If using automatic password expiry, make sure you have a plan in place to secure your system and reset passwords in the event of a security breach. When one password is compromised, reset all passwords just to be safe.
Organisations should encourage users to choose strong alphanumeric passwords (a mixture of uppercase and lower case letters, numbers and special characters). However, complex passwords are harder to remember, which means users are more likely to write them down and subsequently endanger the system’s security. You can help resolve conflicting security measures by using the following security recommendations:
- Create a password policy that specifies all of the organisation’s password management-related requirements.
- Configure password mechanisms to reduce the likelihood of successful password guessing and cracking.
- Protect passwords from attacks that capture passwords.
- Determine requirements for password expiry based on balancing security needs and usability.
Managing an organisation’s password security risk can be a difficult process—threats are unrelenting. So it is worth taking the time to mitigate your cyber risks and protect your assets.