Changing passwords weakens security

Mark Cutting Analysis, Risk, Security, Strategy, Technology 16 Comments

The recent high profile breaches impacting organisations large and small are a testament to the fact that no matter how you secure credentials, they will always be subject to exploit. Can a password alone ever be enough ? in my view, it’s never enough. The enforced minimum should be at least with a secondary factor. Regardless of how “secure” you consider your password to be, it really isn’t in most cases – it just “complies” with the requirement being enforced.

Here’s classic example. We take the common password of “Welcome123” and put it into a password strength checker

According to the above, it’s “strong”. Actually, it isn’t. It’s only considered this way because it meets the complexity requirements, with 1 uppercase letter, at least 8 characters, and numbers. What’s also interesting is that a tool sponsored by Dashlane considers the same password as acceptable, taking supposedly 8 months to break

How accurate is this ? Not accurate at all. The password of “Welcome123” is in fact one of the passwords contained in any penetration tester’s toolkit – and, by definition, also used by cyber criminals. As most of this password combination is in fact made up of a dictionary word, plus sequential numbers, it would take less than a second to break this rather than the 8 months reported above. Need further evidence of this ? Have a look at haveibeenpwned, which will provide you with a mechanism to test just how many times “Welcome123” has appeared in data breaches

Why are credentials so weak ?

My immediate response to this is that for as long as humans have habits, and create scenarios that enable them to easily remember their credentials, then this weakness will always exist. If you look at a sample taken from the LinkedIn breach, those passwords that occupy the top slots are arguably the least secure, but the easiest to remember from the human perspective. Passwords such as “password” and “123456” may be easy for users to remember, but on the flip side, weak credentials like this can be broken by a simple dictionary attack in less than a second.

Here’s a selection of passwords still in use today – hopefully, yours isn’t on there

We as humans are relatively simplistic when it comes to credentials and associated security methods. Most users who do not work in the security industry have little understanding, desire to understand, or patience, and will naturally choose the route that makes their life easier. After all, technology is supposed to increase productivity, and make tasks easier to perform, right ? Right. And it’s this exact vulnerability that a cyber criminal will exploit to it’s full potential.

Striking a balance between the security of credentials and ease of recall has always had it’s challenges. A classic example is that networks, websites and applications nowadays typically have password policies in place that only permit the use of a so-called strong password. Given the consolidation and overall assortment of letters, numbers, non-alphanumeric characters, uppercase and lowercase, the password itself is probably “secure” to an acceptable extent, although the method of storing the credentials isn’t. A shining example of this is the culture of writing down sensitive information such as credentials. I’ve worked in some organisations where users have actually attached their password to their monitor. Anyone looking for easy access into a computer network is onto an immediate winner here, and unauthorised access or a full blown breach could occur within an alarmingly short period of time.

Leaked credentials and attacks from within

You could argue that you would need access to the computer itself first, but in several historical breach scenarios, the attack originated from within. In this case, it may not be an active employee, but someone who has access to the area where that particular machine is located. Any potential criminal has the credentials – well, the password itself, but what about the username ? This is where a variety of techniques can be used in terms of username discovery – in fact, most of them being non-technical – and worryingly simple to execute. Think about what is usually on a desk in an office. The most obvious place to look for the username would be on the PC itself. If the user had recently logged out, or locked their workstation, then on a windows network, that would give you the username unless a group policy was in place. Failing that, most modern desk phones display the name of the user. On Cisco devices, under Extension Mobility, is the ID of the user. It doesn’t take long to find this. Finally there’s the humble business card. A potential criminal can look at the email address format, remove the domain suffix, and potentially predict the username. Most companies tend to leverage the username in email addresses mainly thanks to SMTP template address policies – certainly true in on premise Exchange environments or Office 365 tenants.

The credentials are now paired. The password has been retrieved in clear text, and by using a simple discovery technique, the username has also been acquired. Sometimes, a criminal can get extremely lucky and be able to acquire credentials with minimal effort. Users have a habit of writing down things they cannot recall easily, and in some cases, the required information is relatively easily divulged without too much effort on the part of the criminal. Sounds absurd and far fetched, doesn’t it ? Get into your office early, or work late one evening, and take a walk around the desks. You’ll be unpleasantly surprised at what you will find. Amongst the plethora of personal effects such as used gym towels and footwear, I guarantee that you will find information that could be of significant use to a criminal – not necessarily readily available in the form of credentials, but sufficient information to create a mechanism for extraction via an alternative source. But who would be able to use such information ?

Think about this for a moment. You generally come into a clean office in the mornings, so cleaners have access to your office space. I’m not accusing anyone of anything unscrupulous or illegal here, but you do need to be realistic. This is the 21st century, and as a result, it is a security measure you need to factor in and adopt into your overall cyber security policy and strategy. Far too much focus is placed on securing the perimeter network, and not enough on the threat that lies within. A criminal could get a job as a cleaner at a company, and spend time collecting intelligence in terms of what could be a vulnerability waiting to be exploited. Another example of “instant intelligence” is the network topology map. Some of us are not blessed with huge screens, and need to make do with one ancient 19″ or perhaps two. As topology maps can be quite complex, it’s advantageous to be able to print these in A3 format to make it easier to digest. You may also need to print copies of this same document for meetings. The problem here is what you do with that copy once you have finished with it ?

How do we address the issue ? Is there sufficient awareness ?

Yes, there is. Disposing of it in the usual fashion isn’t the answer, as it can easily be recovered. The information contained in most topology maps is often extensive, and is like a goldmine to a criminal looking for intelligence about your network layout. Anything like this is classified information, and should be shredded at the earliest opportunity. Perhaps one of the worst offences I’ve ever personally experienced is a member of the IT team opening a password file, then walking away from their desk without locking their workstation. To prove a point about how easily credentials can be inadvertently leaked, I took a photo with a smartphone, then showed the offender what I’d managed to capture a few days later. Slightly embarrassed didn’t go anywhere near covering it.

I’ve been an advocate of securing credentials for some time, and recently read about the author of “NIST Special Publication 800-63” (Bill Burr). Now retired, he has openly admitted the advice he originally provided as in fact, incorrect

“Much of what I did I now regret.” said Mr Burr, who advised people to change their password every 90 days and use obscure characters.

“It just drives people bananas and they don’t pick good passwords no matter what you do.”

The overall security of credentials and passwords

However, bearing in mind that this supposed “advice” has long been the accepted norm in terms of password securuty, let’s look at the accepted standards from a well-known auditing firm

It would seem that the Sarbanes Oxley 404 act dictates that regular changes of credentials are mandatory, and part of the overarching controls. Any organisation that is regulated by the SEC (for example) would be covered and within scope by this statement, and so the argument for not regularly changing your password becomes “invalid” by the act definition and narrative. My overall point here is that the clearly obvious bad password advice in the case of the financial services industry is negated by a severely outdated set of controls that require you to enforce a password change cycle and be in compliance with it. In addition, there are a vast number of sites and services that force password changes on a regular basis, and really do not care about what is known to be extensive research on password generation.

The argument for password security to be weakened by having to change it on a frequent basis is an interesting one that definitely deserves intense discussion and real-world examples, but if your password really is strong (as I mentioned previously, there are variations of this which are really not secure at all, yet are considered strong because they meet a complexity requirement), then a simple mutation of it could render it vulnerable. I took a simple lowercase phrase

“mypasswordissimpleandnotsecureatall”

The actual testing tool can be found here.  So, does a potential criminal have 26 nonillion years to spare ? Any cyber criminal who possesses only basic skills won’t need a fraction of that time as this password is in fact made up of simple dictionary words, is all lowercase, and could in fact be broken in seconds.

My opinion ? Call it how you like – the password is here to stay for the near future at least. The overall strength of the password or credentials stored using MD5, bCrypt, SHA1 and so on are irrelevant when an attacker can use established and proven techniques such as social engineering to obtain your password. Furthermore, the addition of 2FA or a SALT dramatically increases password security – as does the amount of unsuccessful attempts permitted before the associated account is locked. This is a topic that interests me a great deal. I’d love to hear your feedback and comments.

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of Phenomlab.com and Inocul8r.net. He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

16
Leave a Reply

avatar
6 Comment threads
10 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Mark HoneycuttMark CuttingMark HoneycuttAlden Chevez Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Alden Chevez
Member

I think that passwords are here to stay. At least for a while. Just like any security measure it has weaknesses, which we all need to address. Yes people could steal credentials in non-technical ways, that’s why enforcing strong policies is very important and that’s when end user awareness is key. For example, recently, to enforce locking computer screens when you move, an internal domain was created (for example unlocked.mycompany.com) and when someone left their place without locking the screen anyone could open the browser, go to that domain and it would show a website with the short message “you have left your computer unlocked. Security is importante etc etc, confidentiality etc,” something short so people would read once they are back on their chair, and they would understand the message. That would go to a log and by the end of the month the person with the most log entrances would buy dinner / drinks/ donuts for the rest of the department. instead of using passwords, let’s use passphrases.. throw in a couple of numbers, special charachters etc (tH1s.is.my.p4ssw0rd!_:D). This complies with password policies, and also is easy to remember for users, it’s hard to crack by brute force or rainbow tables or dictionaty attacks. The above tools you shared are based on brute force, but I don’t think any hacker uses brute force because of the time it takes. They use dictionary attacks, and rainbow tables, but these usually have single words with numbers, maybe leet, I dont… Read more »

Mark Honeycutt
Member

I say we eliminate passwords altogether and instead have chips put beneath the skin on our hands that will give us access to anything and everything we own or use.  Anyone else would be locked out, photographed, and flogged accordingly.   And, from there, there’s all kinds of possibilities to consider.

Alden Chevez
Member

like people getting their hands cut off

Mark Honeycutt
Member

Well, I don’t think we would see many severed hands in the U.S. because of this unless someone has some very serious information stored on it like evidence against the mob or state secrets.  Most implantable chips I’ve read about do not have GPS technologies, and they’re securely encrypted in a way that’s much more secure than their laptops.  Auto log-ins with this technology allow for complex pass phrases to be stored and encrypted without a person having to memorize a ton of stuff.   I mean, we trust our banks to secure our data on our bank cards in a chip, so this is only one more step in that direction.  Plus, there’s a lot of upside as well.  The information stored on the chip is up to the user and would be no different than using Google Wallet or Samsung Pay.  It’s just always with you.  In addition, think of all the possibilities with having an embedded chip.  I could see it as a pioneering way of some pretty cybernetic type things.  The integration of tech with the human body is inevitable anyway.  We might as well embrace it first and come up with something new and exciting.  I think the next wave of techillionaires are going to make that money on this front using micro computing and AI as gateways to new things.

Mark Honeycutt
Member

I’m all for hacking my body — in an improvement way.  I am hacked already in almost every joint in my body whether it’s with the 45-pounds of titanium alloy in my shoulders and hips, or the stem cells that saved my knees, ankles, elbows, and wrists.  If I could put a micro-computer with sensors that could give me real-time information pertinent to my health — think of the possibilities!!!!  “Your body is 12.2% deficient in Calcium — drink .75 cup soy milk now.”  Or, “You will have severe gas pains in 132 minutes if you do not consume 20 grams of fiber and 12 ounces of water in the next 10 minutes.”  And that’s not even talking about improvement of functionality through robotics, prostheses, etc.  It could be the eventual end of pain too.  

But, onto your point, which is hacking humans in a malicious manner.  Yes, I get it.  There’s a manga about that — an assassin could be anyone you hack and force to do the assassination.  This would definitely have to be a first in our industry — meaning that security would have to be built into design and programming from the very beginning.  But it can happen, and it will.  All roads lead to this.  Biohacking is already a big thing.  

Mark Honeycutt
Member

I have a card that I carry that states how many implants I have which I show when going through a metal detector.  Some detectors go nuts; others let me pass through.  I get “wanded” every time, though, and even though it is beeping as it goes over my body, the officers don’t do anything else.  Good article you linked to.  I actually think we’re going to go in a very different direction than what many alarmists and Hollywood types are projecting.  Rather than a Terminator-like future where humanity risks being taken over by robots, I think we’re going to drop the autonomous pioneering and use that AI to make life much more transparent than it is.  I don’t really want to go into detail because it would be very long-winded, but if you want to know what I’m thinking, watch “Anon.”  It’s a British film just released this year.  Here in the U.S., it just came out on Netflix as a Netflix Original movie.  This is the closest version of what I think our future holds.  Why?  Technology that survives only survives because consumers drive that market.  This type of tech is possible in the near future, and it would be something that people would go for in droves if available.  Whereas, I still don’t see billions of robots walking the streets in the next 100 years.  I also don’t think too many are going to dive into self-driving cars either in the near future.  But I do see the… Read more »

Mark Honeycutt
Member

I highly recommend it.  It’s one of the better IT films.  Again, look past the hardware and the baby, and see the research into smart contacts.  You’ll see where I’m going.