How I Compromised Your Complex Password from The Internet

How I Compromised Your Complex Password from The Internet

One of an attacker’s first goals is to gain a foothold in a target environment. The role or permissions of an end user does not matter if it can be leveraged to gain access. Many password guides encourage longer, more complex passwords, making it more difficult to brute force the password’s plaintext value from its encrypted format in the event of a breach. While this is true, often a foothold is gained through simply guessing an end user’s password on an external resource such as Microsoft Office 365 or an on-premises Microsoft Exchange server.

Many of the passwords compromised from guessing were long, containing 10 or more characters, and contained numbers, and special characters. These passwords met the complexity requirements for most environments, but still contained dictionary words, phrases and followed patterns that are commonly found in password breach data.

A lot of end users (and even some veteran security professionals) consider password management a massive pain. The creation of a unique password with today’s complexity requirements can be tough. As a result, many end users choose to go with passwords that can be easily guessed by incorporating Months, Seasons, Years, words related to a company’s name or industry, common login phrases like ‘welcome’, ‘password’, and keyboard walk schemes i.e., ‘123’ or ‘!23’. In some cases, easily guessed passwords are the default password generated for new hires or for password reset requests because they are more easily communicated to users.

While helpdesks usually request these users to change their password once logged in, users are not always required to do so due to a misconfiguration in Active Directory. If the default password used by an organization can be discovered, usually dozens of user accounts will be compromised, each being utilized in some way to gain a foothold into a target’s environment.

What can be done

Many users in non-technical roles do not understand the importance of good password management. Educating these users on the impact of what an attacker can do with their password is critical.

Additionally, educating users on some of the more common phrases when creating a password is important. Some common examples are:

• Address (home and office)
• Date of birth
• Phone number
• Personal, child or spouse birthday
• Month
• Year
• Keyboard Patterns such as 123 or !23
• Anything posted on social media as an interest
• Company Name
• Company Industry
• Admin
• Password
• Welcome
• Sports Teams or Terms
• Swear words (this is a lot more common than you’d think)

In addition to a strong password policy following NIST guidelines, administrators should consider creating blocklists for the most common words and phrases to prevent end users from creating weak passwords. Tools such as Azure AD Password Protection can allow admins to create a list of banned passwords that will apply to on premises AD. Lists can be gathered from breach data such as the Have I Been Pwned Database.

The bottom line is that good password management is critical to the security of your data. However, it can be a pain for end users to create and remember complex passwords. Administrators should consider creating blocklists for the most common words and phrases and educating their users on some of the more common phrases when creating a password. What do your password policies look like? Why not let Lares audit your password configurations to see if we can identify some optimizations. Contact us today!

Resources

• Deploy on-premises Azure AD Password Protection | Microsoft Docs
• Configure custom Azure Active Directory password protection lists | Microsoft Docs
• CWE – CWE-521: Weak Password Requirements (4.6) (mitre.org)
• NIST Special Publication 800-63B