Implementing proper password policies is one of the best things an organization can do to defend themselves from attack. Compromised credentials give attackers easy and immediate access without performing a single exploit. Hackers can leverage passwords for initial access and lateral movement through an organization’s network. Weak password configurations on an external service can provide a dangerous entry point. Weak passwords internally will allow an attacker to move through a network with ease post-breach.
From an external point of view, weak passwords can be extremely dangerous. A common problem will be an employee having a weak password for a sensitive panel, such as a VPN login page. This is often the first step for many different types of threat actors looking to cause disruption or data exfiltration. A common attack strategy is taking a few weak passwords and using them against a large number of identified user accounts. Commonly guessed passwords will be seasons and the year, such as ‘Fall2023!’ or simple strings, such as ‘Welcome1’.
If an attacker is lucky enough to find success with one of these weak passwords, they will have unfiltered access to whatever lies behind the panel they were able to compromise. People should always be thought of as the weakest link when it comes to security. The exploitation of a vulnerable service is far less common than abusing the human tendency to look for a simple and easy-to-remember password.
When looking for easy wins, a common source can be previous data breaches. Let us say a hacker is able to gather a list of valid usernames for their target organization. They can then try to comb through historical data dumps and see if those valid usernames turn up anywhere. Finding old logins used on other sites can often provide some wins for the hackers, as people tend to reuse passwords for the sake of convenience.
Password reuse can be dangerous in other ways as well. If an attacker is able to find a login for one service, even a minor one, they might be able to use those same passwords elsewhere. This can also be a problem if one service or login panel is less protected than another. For example, Windows Active Directory login attempts typically have a strict limit before accounts are locked out. If an attacker finds valid passwords on a web page with no rate limiting, this may let them perform a more targeted attack without locking out accounts and raising alarms there.
Best Practices and Mitigations
One of the best ways to defend against password attacks is to simply make sure that employees are using strong passwords. This will be a long, hard-to-guess password with a mix of numbers, letters, and symbols. Just enforcing this will often not be enough, however. Even if a password meets those requirements, if it is a commonly used password, attackers will often be able to exploit this. A common password will be quotes from songs, books, or movies, which, while very long, would not be considered strong.
Another common mistake is organizations allowing passwords to remain for too long. Proper password rotation is essential for maximum security. This will go a long way to mitigate attackers being able to reuse historical passwords from old data breaches. There is a fine line, as forcing password changes too often will often lead users to do incremental or patterned passwords (such as the ‘Fall2023!’ example from before).
Even strong passwords should ideally only be used in one place. Educating users on the risks of password reuse prevents a lot of attacks from occurring. It is also important to make sure that employees are not using their work accounts for personal use. This can reduce the risk of them reusing credentials elsewhere and also has the added benefit of protecting their login information in the event of the other service getting their database compromised.
Analyze Your Organization’s Strength With Blue Goat
Our team is able to help you identify any weaknesses in your organization’s network. We can perform different types of tests to meet your individual needs and assist in bolstering your security posture. Contact us to schedule a meeting and begin the process of securing your network.