The most popular password in India is: password. That sums up why cybersecurity experts are concerned about credential security. While security tokens, biometrics, and facial recognition are increasingly used to control access to enterprise IT assets, passwords remain the most common method used to restrict access in most businesses. Threat actors, therefore, compromise passwords to obtain access to enterprise IT systems, making password security critical to maintaining enterprise cybersecurity.
Before we dive into securing passwords, let us first examine how cyberattackers are able to exploit weaknesses in password security to gain access credentials.
Weaknesses in Password Security
Enterprise passwords are typically compromised due to
- Use of Default Passwords – Many IT assets, especially devices, have a default password applied out of the box. End users are also often granted initial access to corporate systems through a password created by the IT team. Using these default credentials makes password compromise easy for cyberattackers
- Creation of Weak Passwords – Passwords that are short and have limited character variety or are linked to the identity of the user (e.g., birthday combined with name of spouse) are easy to guess and therefore easy to compromise
- Password Reuse – End users may create one password that is used across multiple services. Threat actors that obtain the password by compromising one service can now use the password to gain access to other services. The Colonial Pipeline attack in the USA, which resulted in fuel shortages, was made possible by password reuse
- Password Recycling – End users may use older passwords again after an interval of time, allowing threat actors to enter the organisation through passwords that have been previously compromised
- Password Sharing – Employees who are in the habit of sharing passwords amongst themselves increase the probability of an internal threat actor misusing the shared passwords, or selling the passwords to an external threat actor
- Poor Password Storage – End users may store passwords in plain text files which may be exfiltrated by cyberattackers, or leave them written on their desks where they may be stolen by anyone with physical access to the desk
This may be considered a list of worst practices in the context of password security. Let us now understand how threat actors may obtain these passwords.
How Cyberattackers Acquire Passwords
Cyberattackers may acquire passwords directly or indirectly. These are some of the methods used for direct password acquisition:
- Keyloggers – These are a type of malware that capture passwords by recording the keystrokes of the user. Sophisticated keyloggers can capture screenshots and even make videos to help the attacker defeat on-screen keyboards and understand how and where the credentials should be used
- Brute Force/Dictionary Attack – The attacker repeatedly tries combinations of characters or common words until the password is cracked. A threat actor launched a ransomware attack on the Colorado Department of Transportation in the USA by discovering the password to a server after 40,000 attempts
- Social Engineering – These are attacks that are targeted at users rather than a network or a device, and involve gaining the user’s trust in a way that will lead them to reveal their password. A simple form of this attack is a phone call from the attacker who pretends to represent the IT team and requests the password to fix an issue with the computer, but more complex versions of this attack exist: hackers stole ~10 million scientific papers from 320 universities in 22 countries by sending emails to academicians that had a link to a fake university login page from which passwords were harvested
Indirect acquisition involves buying compromised passwords from other threat actors on the dark web. Prices vary based on the extent of access they provide, averaging $3,100 but going as high as $120,000 for domain administrator credentials.
Improving Enterprise Password Security
Enterprise passwords can be secured by following password best practices and taking steps to prevent cyberattackers from acquiring passwords used in your organisation.
- Create a Password Policy – The password policy should be part of your organisation’s cybersecurity policy, and should stipulate password standards to be followed across your organisation. This ensures that IT teams and end users understand what level of password security they should aim for e.g., laying down requirements for password complexity eliminates confusion about what constitutes a ‘strong’ password
- Follow Password Hygiene – Employees should be encouraged to follow password hygiene and not recycle, reuse, or share passwords. Management should also be appraised of the importance of following password hygiene and not creating processes that require password sharing
- In addition to password hygiene, end users with elevated access (such as administrators) should have additional logins without elevated privileges which should be used for all activities that do not require elevated privileges. This mitigates risk as the account with elevated privileges will be less frequently used, reducing opportunities for compromise; if the password to the more frequently used additional account is compromised, the threat actor’s activities will be constrained by the limited privileges associated with that account
- Perform a Cybersecurity Audit – Ascertaining password status by auditing the IT infrastructure will reveal which assets use default passwords or do not have adequate security policies in place. The audit should include all networking devices (such as routers) and all networked devices (such as IoT devices). Passwords should be changed or updated based on the audit
- Regulate Access – Before any stakeholder is assigned a password to access any IT resource, the necessity for such access should be confirmed. Access should be granted by following the principle of least privilege i.e., the password should unlock the least privileges required by the user to perform their responsibilities, mitigating the impact of password compromise
- Protect Devices – Computing devices should have endpoint protection, such as K7 Endpoint Security, installed to identify and block password stealing malware such as keyloggers, and to prevent social engineering attacks like phishing
- It is important to remember that all devices that connect to the enterprise network should be protected, and all devices should be allowed to receive cybersecurity updates as soon as they are released by the vendor
- In addition to endpoint security, other device-level security policies should also be in place e.g., the attack mentioned above, where the threat actor used 40,000 attempts to guess the password, could have been prevented by limiting the number of failed login attempts
- Deploy Password Managers – Enterprise password managers provide a secure vault for employees to store passwords and generate new, strong passwords. This eliminates the need for individuals to remember a large number of credentials and therefore reduces the temptation to create easy passwords or otherwise violate password hygiene. The chosen password manager should be a zero-knowledge solution i.e., only the end user has access to their credentials and the password management solution vendor (or anyone else) cannot access the stored credentials
- Implement Multi-factor Authentication – Utilising more than one factor to grant access ensures that even if one factor (the password) is compromised, security is maintained because the threat actor will not possess the other factor(s)
- Disable Unused Accounts – Attackers may find it easier to compromise unused accounts because activity in such accounts tends to go unnoticed. Unused accounts should be disabled and employee exit policies should include identification and disablement of all accounts used by departing employees
- Provide Employee Training – Threat actors may attempt to use social engineering to gain the confidence of employees in their personal lives, e.g., through their use of social media. Employees should be trained to spot such attacks, avoid oversharing on social media, and encouraged to not accept connection requests from individuals they do not personally know
K7 Security creates international award winning cybersecurity solutions that protect enterprises from password stealing malware, phishing emails, malicious websites, and many other cyberthreats. Please Contact Us to learn more about how we can help you secure your organisation against cyberattacks.