Mitigating Password Attacks

Passwords are also used in less visible ways; for example, a biometric device may generate a password based on a fingerprint scan, which is then used for authentication. Because they often protect valuable data, passwords are a common theft target for hackers and thieves. While no method of password threat mitigation is 100 percent effective, it’s essential to understand the threats and specific ways to address them so you can protect your company and its assets.

Types of Password Attacks

There are four types of threats hackers can use to access user passwords:

1. Password capturing

Password capturing is an attacker acquiring a password from storage, transmission, or user knowledge and behavior. For authentication, OS and application passwords are stored on hosts. If the stored passwords are not appropriately secured, attackers with physical access to a host may be able to gain access to the passwords. Passwords should not be stored without additional security controls to protect them. Security controls may include the following:

• Encrypting files containing passwords: This may be done by the operating system, an application, or a specialized utility such as password management software specifically designed to protect the confidentiality of passwords.
• Using OS access control features to restrict access to files that contain passwords: For example, a host could be configured to permit only administrators and specific processes running with administrator-level privileges to access a password file, thus preventing users and user-level processes from accessing passwords.
• Storing one-way cryptographic hashes for passwords instead of storing the passwords themselves: Using such hashes allows the authentication system to verify during authentication attempts that the correct password has been entered without storing the actual password. An attacker that gains access to hashes cannot determine the corresponding passwords directly from the hashes and must use cracking techniques to attempt to recover the passwords.

Organizations should carefully consider how well passwords and password hashes stored by applications are protected. For example, Web browsers, email clients, and other applications can store passwords on behalf of users, but it is often not apparent how well-secured these passwords are. Also, in most cases, these applications automatically fill in passwords as needed without verifying the user’s identity, which permits an attacker who can access such a computer to use the passwords immediately. Organizations should decide which applications if any, should be permitted to store passwords and password hashes based on considering the risks of doing so versus the convenience provided to users. Organizations should have requirements in their password policies regarding which types of applications may store passwords and hashes, as well as how those stored passwords and hashes should be protected.

In addition to storing passwords on the host, users and administrators may keep them on paper so they do not have to remember them. Such documents should be physically secured, such as stored in a locked file cabinet, safe, or office, to prevent the passwords from being acquired by a malicious party with physical access to the workspace. Also, papers containing passwords should be appropriately discarded, such as shredding them instead of throwing them in a trash can or recycling bin. Attackers can also monitor password entry through technical means. For example, a keystroke logger, also known as a keylogger, is a form of malware that monitors the keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker. An attacker can use a keystroke logger to acquire the usernames and passwords typed into the infected computer.

Many Trojan horses and some other forms of malware can also monitor user activity to gather usernames, passwords, and additional sensitive information for attackers. These sorts of threats can be mitigated by securing users’ hosts effectively, including applying patches regularly, using antimalware software (e.g., antivirus software, antispyware software), and having the user run with user-level privileges, not administrator-level privileges, for daily tasks. Another possible mitigation technique is to avoid typing passwords, such as retrieving them from secure storage or using onscreen simulated keyboards to enter them. Users should also be cautioned against downloading and executing files from unknown sources. Users should be warned not to enter passwords into publicly accessible computers, such as kiosk computers at conferences and hotels, because of the high risk of compromised passwords.

Users may also reveal their passwords to attackers because of social engineering. For example, an attacker could pretend to be a help desk agent, call a user and ask the user to provide a password to assist the agent in troubleshooting a problem. Social engineering can take many forms, some of which involve technical methods, such as phishing emails that direct users to a malicious website that mimics a legitimate site. The goal behind many phishing attacks is to collect usernames, passwords, and other sensitive information from users.

Mitigation of social engineering threats primarily involves user awareness of such threats and how they should be handled. However, some technical controls are also available (for example, many Web browsers offer anti-phishing capabilities). Social engineering may also target help desk agents, system administrators, and other IT staff with access to privileged accounts. Organizations should ensure that they know how to recognize such attacks and respond when an attack is suspected.

2. Password Guessing and Cracking

Attackers attempt to determine weak passwords and recover passwords from password hashes through two types of techniques—guessing and cracking. Guessing involves repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords. Cracking is the process of an attacker recovering cryptographic password hashes and using various analytical methods to identify a character string that will produce one of these hashes, thereby being the equivalent of the password to the targeted system. Guessing can be attempted by any attacker that can access the authentication interface, whereas cracking can only be attempted by an attacker who has already gained access to password hashes.

There are several forms of guessing:

• In a brute force attack, the attacker attempts to guess the password using all possible combinations of characters from a given character set and for passwords up to a given length. This method will likely take ample time if many combinations are tested.
• In a dictionary attack, the attacker attempts to guess the password using a list of possible passwords. The list may contain numbers, letters, and symbols but is not an exhaustive list of all possible passwords or combinations that could create a password.
• In a hybrid attack, the attacker uses a dictionary containing possible passwords and then uses variations through brute force methods of the original ones in the dictionary to create new potential passwords. Since the attacker is adding characters—and in some cases replacing characters based on a rule set—in a controlled manner, the attack is more exhaustive than a dictionary attack but takes less time than a brute force attack.
• Another guessing attack is searching the victim’s information for possible password content, such as family member names or birthdates.

Guessing attacks can be mitigated relatively easily by combining two methods. First, ensure that passwords are sufficiently complex so attackers cannot readily guess them. It is essential to change all default OS and application passwords; lists of default accounts and passwords are widely available to attackers. Organizations should also ensure that other trivial passwords cannot be set, such as the username or person’s name, “password,” the organization’s name, or simple keyboard patterns (e.g., “qwerty,” “1234!@#$”), dates (e.g., “03011970”), dictionary words and names of people and places. Most password mechanisms can prevent the use of such passwords.

The second method recommended for mitigating guessing attacks is configuring OS and application password authentication mechanisms to limit the frequency of authentication attempts. Examples of how this can be accomplished include the following:

• Lock out a user account after several consecutive failed authentication attempts (often performed within a particular period, such as the past hour). For example, after a user has failed to provide the correct password ten times in a row, ignore all additional authentication attempts to access the user account for 15 minutes. Locking out an account after only a few failed attempts significantly impacts legitimate users and tends to cause them to choose simpler passwords or store their passwords insecurely, thus weakening security.
• Have a fixed or exponentially increasing delay after each failed authentication attempt. After the first failure, for example, there could be a five-second delay; after the second failure, a 10-second delay; after the third failure, a 20-second delay; and so on.

Cracking involves attempting to discover a character string that will produce the same encrypted hash as the target password. The discovered string may be the actual password or another password that produces the same hash. If the hash algorithm is weak, cracking may be much easier. Hash functions should be one-way; otherwise, attackers that can access hashes may be able to identify passwords from them and successfully authenticate. Another example of a hash algorithm weakness is that some algorithms do not use salting. Salting is the inclusion of a random value in the password hashing process that significantly decreases the likelihood of identical passwords returning the same hash. If two users choose the same password, salting can make it highly unlikely that their hashes are the same. All forms of cracking can be mitigated by making passwords strong, using one-way password hash algorithms, and protecting the confidentiality of password hashes. Changing passwords periodically also reduces the risk posed by cracking.

3. Password Replacing

An attacker can successfully authenticate into an account by replacing the account’s existing password with another password that the attacker knows. The attacker does not necessarily need to know the original password to accomplish this—for example, the attacker could intercept a user’s legitimate attempt to reset a password.

Generally, when a user forgets a password, there are two options: regain access to the old password (password recovery) or set a new password (a password reset). Password resets are also performed to set an initial password when a new account is created. There are many ways in which password recovery and resets can be conducted, ranging from an in-person visit with an IT staff member to a fully automated self-service utility.

Suppose the identity of the user requesting a password recovery or reset is not correctly verified. In that case, an attacker could easily pose as a user and gain access to that user’s password, so all recovery and reset mechanisms should verify the user’s identity first. Examples of verification methods include primary knowledge-based verification (e.g., employee ID number, badge number, date of birth); predetermined challenge response questions set during account creation (e.g., the color of the first car, favorite pet’s name); calling a user back on an office phone; and requiring a face-to-face visit from the user to provide photo identification.

Each verification method has advantages and disadvantages that should be evaluated before use. Privacy concerns should be carefully evaluated; for example, information such as Social Security numbers and a mother’s maiden name should not be used for identity verification. User verification should not include data or question answers that an attacker can quickly obtain or guess, such as an employee ID number available from a company directory.

For each password recovery or reset mechanism, the thoroughness of the user verification can be tailored to the account’s relative security needs. For example, organizations might want to require a rigorous, out-of-band verification method for the highest-security passwords and use less rigorous methods for other cases. When selecting verification methods, organizations should consider the relative risk of each method as opposed to its cost and convenience. Organizations should also identify and address any requirements to perform password recovery and resets for people not physically located in the organization’s main facilities, including users who telecommute or are traveling.

4. Using Compromised Passwords

If an attacker has compromised a password through guessing, cracking, or capture, the attacker will be able to use that password until the user changes it. To reduce the potential impact of such unauthorized password use, many organizations have implemented password expiration mechanisms that force users to select a new password after a certain number of days. Although this is beneficial for reducing the impact of some password compromises, it is ineffective for others; for example, when the attacker can compromise the new password through the same method as the old password (such as a keylogger running on the user’s computer) or when the attacker has a way of maintaining access to the target without the password, such as setting up a backdoor on the target. Password expiration is also often a source of frustration to users, who are usually required to create and remember new passwords every month for multiple accounts.

Organizations should decide whether to use password expiration mechanisms and what expiration period to set based on balancing security needs and usability. For example, if the organization provides secure storage for user passwords so that users do not have to remember passwords, then password expiration will be less frustrating to users.

Suppose there are significant threats involving unauthorized access to password hashes. In that case, it may be necessary to set the expiration period to be less than the time required to crack the passwords from the hashes. Another consideration is the frequency of authentication—if an application is accessed only a few times a year by employees and password expiration is enforced, then the passwords will be expired every time the users attempt to authenticate. Other factors for organizations to consider in selecting password expiration requirements include the strength of password storage and transmission algorithms and the system security requirements. Organizations should consider having different policies for password expiration for other systems, OS’s, and applications, to reflect their varying security needs and usability requirements.

If Passwords Are Compromised

Suppose an organization believes that a password management system or other sources of passwords has been compromised. In that case, the organization should act swiftly to mitigate the weaknesses that allowed the compromise, restore the compromised system to a secure state, and require all users to change their passwords immediately. Implementing the enterprise password change will require careful planning and coordination. Procedures should be in place to notify all affected users. This notification should only inform the users of the situation and notify them that their passwords have been reset or need to be changed immediately. Users should be instructed to change their password as they usually would and contact the help desk if they need assistance. If users are allowed to change their passwords, a procedure should be in place to force the change and verify that changes have been made. If passwords are reset to assigned passwords, then there should be procedures in place to communicate the assigned passwords to the users in a secure manner. Suppose the procedures cause a significantly increased workload on help desk staff. In that case, resources should be available to augment help desk staff to ensure they can effectively handle the password reset.

Passwords are used in many ways to protect data, systems, and networks. They are used to authenticate users of operating systems (OS) and applications such as email, labor recording, and remote access. Passwords are also used to protect files and other stored information, such as password-protecting a single compressed file, a cryptographic key, or an encrypted hard drive.

Passwords are also used in less visible ways; for example, a biometric device may generate a password based on a fingerprint scan, which is then used for authentication. Because they often protect valuable data, passwords are a common theft target for hackers and thieves. While no method of password threat mitigation is 100 percent effective, it’s essential to understand the threats and specific ways to address them so you can protect your company and its assets.

Types of Password Attacks

There are four types of threats hackers can use to access user passwords:

1. Password capturing

Password capturing is an attacker acquiring a password from storage, transmission, or user knowledge and behavior. For authentication, OS and application passwords are stored on hosts. If the stored passwords are not appropriately secured, attackers with physical access to a host may be able to gain access to the passwords. Passwords should not be stored without additional security controls to protect them. Security controls may include the following:

• Encrypting files containing passwords: This may be done by the operating system, an application, or a specialized utility such as password management software specifically designed to protect the confidentiality of passwords.
• Using OS access control features to restrict access to files that contain passwords: For example, a host could be configured to permit only administrators and specific processes running with administrator-level privileges to access a password file, thus preventing users and user-level processes from accessing passwords.
• Storing one-way cryptographic hashes for passwords instead of storing the passwords themselves: Using such hashes allows the authentication system to verify during authentication attempts that the correct password has been entered without storing the actual password. An attacker that gains access to hashes cannot determine the corresponding passwords directly from the hashes and must use cracking techniques to attempt to recover the passwords.

Organizations should carefully consider how well passwords and password hashes stored by applications are protected. For example, Web browsers, email clients, and other applications can store passwords on behalf of users, but it is often not apparent how well-secured these passwords are. Also, in most cases, these applications automatically fill in passwords as needed without verifying the user’s identity, which permits an attacker who can access such a computer to use the passwords immediately. Organizations should decide which applications if any, should be permitted to store passwords and password hashes based on considering the risks of doing so versus the convenience provided to users. Organizations should have requirements in their password policies regarding which types of applications may store passwords and hashes, as well as how those stored passwords and hashes should be protected.

In addition to storing passwords on the host, users and administrators may keep them on paper so they do not have to remember them. Such documents should be physically secured, such as stored in a locked file cabinet, safe, or office, to prevent the passwords from being acquired by a malicious party with physical access to the workspace. Also, papers containing passwords should be appropriately discarded, such as shredding them instead of throwing them in a trash can or recycling bin. Attackers can also monitor password entry through technical means. For example, a keystroke logger, also known as a keylogger, is a form of malware that monitors the keyboard for action events, such as a key being pressed, and provides the observed keystrokes to an attacker. An attacker can use a keystroke logger to acquire the usernames and passwords typed into the infected computer.

Many Trojan horses and some other forms of malware can also monitor user activity to gather usernames, passwords, and additional sensitive information for attackers. These sorts of threats can be mitigated by securing users’ hosts effectively, including applying patches regularly, using antimalware software (e.g., antivirus software, antispyware software), and having the user run with user-level privileges, not administrator-level privileges, for daily tasks. Another possible mitigation technique is to avoid typing passwords, such as retrieving them from secure storage or using onscreen simulated keyboards to enter them. Users should also be cautioned against downloading and executing files from unknown sources. Users should be warned not to enter passwords into publicly accessible computers, such as kiosk computers at conferences and hotels, because of the high risk of compromised passwords.

Users may also reveal their passwords to attackers because of social engineering. For example, an attacker could pretend to be a help desk agent, call a user and ask the user to provide a password to assist the agent in troubleshooting a problem. Social engineering can take many forms, some of which involve technical methods, such as phishing emails that direct users to a malicious website that mimics a legitimate site. The goal behind many phishing attacks is to collect usernames, passwords, and other sensitive information from users.

Mitigation of social engineering threats primarily involves user awareness of such threats and how they should be handled. However, some technical controls are also available (for example, many Web browsers offer anti-phishing capabilities). Social engineering may also target help desk agents, system administrators, and other IT staff with access to privileged accounts. Organizations should ensure that they know how to recognize such attacks and respond when an attack is suspected.

2. Password Guessing and Cracking

Attackers attempt to determine weak passwords and recover passwords from password hashes through two types of techniques—guessing and cracking. Guessing involves repeatedly attempting to authenticate using default passwords, dictionary words, and other possible passwords. Cracking is the process of an attacker recovering cryptographic password hashes and using various analytical methods to identify a character string that will produce one of these hashes, thereby being the equivalent of the password to the targeted system. Guessing can be attempted by any attacker that can access the authentication interface, whereas cracking can only be attempted by an attacker who has already gained access to password hashes.

There are several forms of guessing:

• In a brute force attack, the attacker attempts to guess the password using all possible combinations of characters from a given character set and for passwords up to a given length. This method will likely take ample time if many combinations are tested.
• In a dictionary attack, the attacker attempts to guess the password using a list of possible passwords. The list may contain numbers, letters, and symbols but is not an exhaustive list of all possible passwords or combinations that could create a password.
• In a hybrid attack, the attacker uses a dictionary containing possible passwords and then uses variations through brute force methods of the original ones in the dictionary to create new potential passwords. Since the attacker is adding characters—and in some cases replacing characters based on a rule set—in a controlled manner, the attack is more exhaustive than a dictionary attack but takes less time than a brute force attack.
• Another guessing attack is searching the victim’s information for possible password content, such as family member names or birthdates.

Guessing attacks can be mitigated relatively easily by combining two methods. First, ensure that passwords are sufficiently complex so attackers cannot readily guess them. It is essential to change all default OS and application passwords; lists of default accounts and passwords are widely available to attackers. Organizations should also ensure that other trivial passwords cannot be set, such as the username or person’s name, “password,” the organization’s name, or simple keyboard patterns (e.g., “qwerty,” “1234!@#$”), dates (e.g., “03011970”), dictionary words and names of people and places. Most password mechanisms can prevent the use of such passwords.

The second method recommended for mitigating guessing attacks is configuring OS and application password authentication mechanisms to limit the frequency of authentication attempts. Examples of how this can be accomplished include the following:

• Lock out a user account after several consecutive failed authentication attempts (often performed within a particular period, such as the past hour). For example, after a user has failed to provide the correct password ten times in a row, ignore all additional authentication attempts to access the user account for 15 minutes. Locking out an account after only a few failed attempts significantly impacts legitimate users and tends to cause them to choose simpler passwords or store their passwords insecurely, thus weakening security.
• Have a fixed or exponentially increasing delay after each failed authentication attempt. After the first failure, for example, there could be a five-second delay; after the second failure, a 10-second delay; after the third failure, a 20-second delay; and so on.

Cracking involves attempting to discover a character string that will produce the same encrypted hash as the target password. The discovered string may be the actual password or another password that produces the same hash. If the hash algorithm is weak, cracking may be much easier. Hash functions should be one-way; otherwise, attackers that can access hashes may be able to identify passwords from them and successfully authenticate. Another example of a hash algorithm weakness is that some algorithms do not use salting. Salting is the inclusion of a random value in the password hashing process that significantly decreases the likelihood of identical passwords returning the same hash. If two users choose the same password, salting can make it highly unlikely that their hashes are the same. All forms of cracking can be mitigated by making passwords strong, using one-way password hash algorithms, and protecting the confidentiality of password hashes. Changing passwords periodically also reduces the risk posed by cracking.

3. Password Replacing

An attacker can successfully authenticate into an account by replacing the account’s existing password with another password that the attacker knows. The attacker does not necessarily need to know the original password to accomplish this—for example, the attacker could intercept a user’s legitimate attempt to reset a password.

Generally, when a user forgets a password, there are two options: regain access to the old password (password recovery) or set a new password (a password reset). Password resets are also performed to set an initial password when a new account is created. There are many ways in which password recovery and resets can be conducted, ranging from an in-person visit with an IT staff member to a fully automated self-service utility.

Suppose the identity of the user requesting a password recovery or reset is not correctly verified. In that case, an attacker could easily pose as a user and gain access to that user’s password, so all recovery and reset mechanisms should verify the user’s identity first. Examples of verification methods include primary knowledge-based verification (e.g., employee ID number, badge number, date of birth); predetermined challenge response questions set during account creation (e.g., the color of the first car, favorite pet’s name); calling a user back on an office phone; and requiring a face-to-face visit from the user to provide photo identification.

Each verification method has advantages and disadvantages that should be evaluated before use. Privacy concerns should be carefully evaluated; for example, information such as Social Security numbers and a mother’s maiden name should not be used for identity verification. User verification should not include data or question answers that an attacker can quickly obtain or guess, such as an employee ID number available from a company directory.

For each password recovery or reset mechanism, the thoroughness of the user verification can be tailored to the account’s relative security needs. For example, organizations might want to require a rigorous, out-of-band verification method for the highest-security passwords and use less rigorous methods for other cases. When selecting verification methods, organizations should consider the relative risk of each method as opposed to its cost and convenience. Organizations should also identify and address any requirements to perform password recovery and resets for people not physically located in the organization’s main facilities, including users who telecommute or are traveling.

4. Using Compromised Passwords

If an attacker has compromised a password through guessing, cracking, or capture, the attacker will be able to use that password until the user changes it. To reduce the potential impact of such unauthorized password use, many organizations have implemented password expiration mechanisms that force users to select a new password after a certain number of days. Although this is beneficial for reducing the impact of some password compromises, it is ineffective for others; for example, when the attacker can compromise the new password through the same method as the old password (such as a keylogger running on the user’s computer) or when the attacker has a way of maintaining access to the target without the password, such as setting up a backdoor on the target. Password expiration is also often a source of frustration to users, who are usually required to create and remember new passwords every month for multiple accounts.

Organizations should decide whether to use password expiration mechanisms and what expiration period to set based on balancing security needs and usability. For example, if the organization provides secure storage for user passwords so that users do not have to remember passwords, then password expiration will be less frustrating to users.

Suppose there are significant threats involving unauthorized access to password hashes. In that case, it may be necessary to set the expiration period to be less than the time required to crack the passwords from the hashes. Another consideration is the frequency of authentication—if an application is accessed only a few times a year by employees and password expiration is enforced, then the passwords will be expired every time the users attempt to authenticate. Other factors for organizations to consider in selecting password expiration requirements include the strength of password storage and transmission algorithms and the system security requirements. Organizations should consider having different policies for password expiration for other systems, OS’s, and applications, to reflect their varying security needs and usability requirements.

If Passwords Are Compromised

Suppose an organization believes that a password management system or other sources of passwords has been compromised. In that case, the organization should act swiftly to mitigate the weaknesses that allowed the compromise, restore the compromised system to a secure state, and require all users to change their passwords immediately. Implementing the enterprise password change will require careful planning and coordination. Procedures should be in place to notify all affected users. This notification should only inform the users of the situation and notify them that their passwords have been reset or need to be changed immediately. Users should be instructed to change their password as they usually would and contact the help desk if they need assistance. If users are allowed to change their passwords, a procedure should be in place to force the change and verify that changes have been made. If passwords are reset to assigned passwords, then there should be procedures in place to communicate the assigned passwords to the users in a secure manner. Suppose the procedures cause a significantly increased workload on help desk staff. In that case, resources should be available to augment help desk staff to ensure they can effectively handle the password reset.