Updated 14 June 2021.
Copyright: European Union Public License, version 1.2 (EUPL-1.2).
Contents of this Article
- Password Creation Basics
- Password Attack Techniques
- How to prevent the worse
- Common “Do Not’s” in Password Protection
- Password risk assessment
- Product reviews
1 – Introduction
This article will go into detail about the policies regarding password creation and management. Our end goal is to instruct clients and employees on how to strengthen current and future passwords, so that they may thwart threat actors. A password is defined as “a secret combination of letters, numbers, and /or characters that only the user should have knowledge of”. With that said, managing passwords is an important step in preventing passwords from being compromised. As the owner of a password, you want to make sure that you are the only authorized authority that has access to that password. As will be discussed throughout this article, there are many applications that can help you manage passwords. In today’s network connected world attackers have developed sophisticated methods in order to compromise security measures. In order to prevent threat actors we must look at password security from their perspective in order to develop countermeasures against password attacks.
2 – Password Creation Basics
Successful password creation relies on the policies that govern their criteria. When organizations decide the framework for group passwords there are many factors that go into the decision-making process. Password policies such as Minimum Password age and a Maximum password age determine how long a password exist within a domain. This in turn forces users that are part of that network to frequently change their passwords. The ultimate goal of having strong password policies is to prevent threat actors from acquiring the credentials needed to do harm to an organization. Along with the use of password policies, organizations should consider using Password management applications that can store all passwords in a protected vault. Password management applications are considered to be one of the best tools in an onion-based security model. Below are some the first steps you should do when deciding the framework for your password policies.
Determine the Minimum / Maximum Password Length
The recommended minimum length for a password is 12 characters and a maximum of 28 characters. The most crucial part to password security is not complexity but length. A longer password is more secure than a shorter password because it requires more attempts from a threat actor to break the password.
Add Password Complexity
Requiring users to have at least one uppercase, lowercase, a digit 0 -9 and a non-alphabetic character (!, $, #, %), is essential to making a password unbreakable.
Adding Encryption to Passwords
There are many password management applications that can encrypt passwords. Computer algorithms can transform your passwords from plaintext to a random sequence of numbers and letters. The hash is then appended with what is called a salt at the beginning and end of a password before the password is done being hashed.
3 – Password Attack Techniques
There are many who believe that passwords are compromised just by guessing, meaning that an attacker sits at their computer and randomly guesses until they have selected the right password. Unfortunately, this is far from the truth of what threat actors do when they compromise a password. Instead, today’s threat actors use sophisticated methods in order to crack a password or passphrase. An attacker may discover a password through the use of social engineering which includes (phishing, shoulder surfing and dumpster diving). However these attacks have limitations to them, such as the need to have physical access to a victim’s computer or observe the user entering their password. Most password attacks today occur offline. To perform an offline attack, the attacker may steal a file containing password digest to load on their computer in order to crack them. A digest is defined as a cryptographic hash function that hosts a string of digits made by a one way hashing formula. Below I will discuss the many techniques that threat actors use to decrypt a password.
Brute Force Attack
A brute force attack is usually automated and utilizes every possible combination of letters, numbers and characters which are used to create a digest. Attackers crack passwords by matching the captured digest password with their created digest. Among all of the password cracking methods used by attackers, the Brute force method is the slowest but also the most thorough. A brute force attack is considered an offline attack where the password capturing and the password cracking are done separately. Very commonly, a brute force attack is used to break Microsoft Windows LM hashes which is considered to be a weak cryptographic algorithm. This type of password hashing is considered weak because it uses a cryptographic one-way function instead of encrypting the password with a key in which the password is the key. Microsoft does this for fast login into devices but it makes it easier for threat actors to crack. This is why users should strongly suggest encrypting their Windows machine.
Mask attacks are a more fine tuned brute force attack, in which the attack uses placeholders for characters in particular positions in a password. The purpose of using a mask attack is to reduce the potential number of combinations that must be created to crack a password. Attackers use this method to speed up the cracking of a password. The parameters that could be used within a mask attack are password length, character set, language and pattern.
Unlike a mask attack that is considered an educated guess, a rule attack uses statistical analysis on stolen passwords. This analysis is then used to create a mask that is meant to break the largest number of passwords. When attackers create a rule attack they take a small sample of stolen plaintext passwords and then perform statistical analysis to determine the character length and character set of the mask. Once the mask is created it will produce the best percentage of cracked passwords.
Dictionary Attack / Rainbow Tables
A dictionary attack starts with an attacker generating a digest of commonly known dictionary words that are collected and compared to a stolen password digest. Unlike a dictionary, a rainbow table creates a large nested data set of password digest that is compared to stolen password digest to crack a password. Rainbow tables are compressed representations of clear-text passwords that are constructed in a chain. Each password in a chain is hashed and represents a clear-text password. To crack a password with rainbow tables, the attacker must do a two step process. First, the password has to run through the same process used to create the rainbow table. This creates the first password in the chain. Secondly, the process is repeated, beginning with the first password until the first digest of the stolen password is found. Generating a Rainbow table takes a large amount of time but once created, it has a significant advantage over other password cracking methods. For example, A rainbow table can be used to repeatedly conduct attacks on other passwords. Rainbow tables which are much faster than dictionary attacks that take up much less memory on an attacker’s computer to conduct.
4 – How to prevent the worst
To see what an attacker sees when he or she targets a password gives you a greater chance to prevent an exploit. Attackers who go after passwords generally seek out low short length limited complexity passwords. As mentioned before, password length is the key to a strong password, so determining the length gives you a footprint of how long an attack will take. There is an easy method to determine the average number of attempts a threat actor needs in order to break a password. To do this you take the (Number of Keyboard Keys ^ Password length = Total number of possible Passwords), the average is one half of the total number of possible passwords.
A big reason why a password is considered weak is because users do not want to remember long complex passwords, so they set simple easy to remember passwords. Unfortunately, a good portion of these easy to remember passwords are just sitting in a threat actors rainbow table waiting to be unleashed. The answer to this problem relies on user education. Within your corporate network you must thoroughly explain the dangers that impact the company and its employees/users. Software and algorithms can only do but so much to protect you from cyber-attacks. If users are not prepped to properly use these tools, then the preventative measures that you put in place are not useful. This is why Ubinodes experience in security consulting is of value to any organization. The core value at Ubinodes is first concerned with security then productivity. To be productive, it is important that your network has little downtime due to security heartaches and pains.
5 – Common “Do Not’s” in password Protection
It is advised that you never use a username or ID as your password. If you are an administrator or have administrative privileges do not share with assistants and other employees. Ubinodes treats all passwords as sensitive and confidential information that should be managed properly.
- Don’t expose a password to anyone over a cell phone or landline.
- Don’t expose a password in an email.
- Don’t expose a password to a manager or senior employee.
- Don’t expose a password through verbal conversations.
- Don’t provide hints to the format of a password.
- Don’t expose a password within forms or questionnaires.
- Don’t expose a password to family members.
- Don’t expose a password to anyone while on vacation.
- Don’t access passwords through the remember passwords feature of any application.
- Don’t write passwords down and store them in the office.
- Don’t store passwords on unencrypted devices.
6 – Password Risk Assessment
When employing risk mitigation measures to combat the potential risk of exposure, companies first want to ensure that the mitigation measures do not degrade their provided services. This is why risk analysis must be done shortly after the discovery of a potential threat. When conducting your assessment of the potential risk of mass password exposure, the knowledge of a problem existing should be kept confidential until everything is known about the problem. To get the most out of your risk assessment, you want to measure the impact of each individual component of digital authentication. By doing this you are avoiding three errors, the first is identity proofing errors, you want to make sure that imposters are not claiming the identity of your employees. Secondly, is authentication errors which is having an imposter gain access to credentials that belong to your employees. Thirdly, Federation errors, which prevents identity assertion from being compromised.
As a company considers identity proofing errors, authentication errors and federation errors they can make educated decisions on the type of technology or strategies they will use to combat the risk. Added technology will help in mitigating the risk but what is more important is the severity levels of identity proofing, authentication, and federation. This will help the company make sound decisions in the future and help maintain quality of service levels if an exposure does occur.
NIST Severity Levels
According to NIST SP 800-63-A, there are three assurance levels to identity proofing as shown below and they reflect the options that a company should follow when encountering that level.
IAL1: At this level there is no requirement to associate the person with the real-life identity.
IAL2: The evidence collected supports the real-world existence of the claimed identity, which in turn verifies that this person is associated with this real-world identity
IAL3: To effectively “identity proof” the person, a physical presence is needed. At this point in time an authorized representative must verify the attributes of the individual.
If we go to NIST SP 800-63B, you can reference the three assurance levels to authentication that a company may use.
AAL1: This level supplies some assurance that the person claiming the account is authenticated to the subscriber’s account. AAL1 requires single-factor or multi-factor authentication and once one of these conditions is met then the subscriber gains access to the account.
AAL2: This level gives employers a high level of confidence that the person trying to access this account is the correct owner. Confidence is obtained through secure authentication protocols and cryptographic techniques.
AAL3: The confidence level at AAL3 is considered very high with proof being provided by a cryptographic key. A hardware-based authenticator can be used to verify this login.
Lastly, NIST SP 800-63C supplies companies with federation requirements that help identify the physical architectures that manage and secure passwords.
FAL1: Allows the owner to enable the relying party to claim ownership over devices/infrastructure. This assertion is signed by a federal authority with the use of cryptography.
FAL2: This level requires that the relying party encrypts the infrastructure by using approved cryptography and be the only party who can decrypt the infrastructure.
FAL3: Ownership of infrastructure requires that the owner present proof of the cryptographic key in addition to the assertion artifact itself. A federal representative signs off by using cryptography.
7 – Product reviews
When choosing a password manager we suggest setting a passphrase for your password manager. For those who do not understand, a passphrase is different from a password in that they are much longer in length. Passwords are generally around 12 characters in length while passphrases are between 32 and 64 characters in length. The extra length that a passphrase has provides added security. As explained earlier, the longer a password or passphrase is the more the average attempts a threat actor will need in order to break it. We only suggest using a passphrase for your password manager so that every day usage of a password is not cumbersome. You should save your passphrase in a safe place where only you can access it and if you save your passphrase in the browser make sure that it is saved in a browser that utilizes encryption. A good example of a browser that uses encryption is the Comodo browser. You want to only use a browser like this to save your passphrase in so that if you are targeted by a cross site scripting attack you do not give your passphrase away to your attacker.
This product stores your network users’ passwords in an encrypted vault where they can be easily and safely managed. The Bitwarden software is available on both mobile and PC and supports the Linux, MacOS, Windows and Android operating systems. Traditionally, the software is open source and free for a single user but for larger organizations the price slightly rises to $5 a month for each user. Passwords are encrypted using AES-256 bit encryption and supports the SHA-256 hashing algorithm.
Unlike the last product, Dashline is a subscription-based password manager. Dashline support the normal everyday operating systems such as MacOS, Windows, iOS and Android. The software performs the task of a password manager as well as a digital wallet. Its value is rooted in the encryption algorithm it uses, which is SHA-256. With 12 supported languages, two-factor authentication and utilization of a VPN this product can support the needs of any size organization.
Encryptr specializes in securing client personal data over the internet with end-to-end encryption. The company ensures that passwords stored within its software are vaulted and can only be touched by authorized sources. Just like the previous two products, Encryptr uses the SHA-256 encryption algorithm to hash and encrypt passwords. This is one of the few password management applications that is free and open source. Currently the application is only available as a desktop application and supports the Linux, MacOS and Windows operating systems.
Keeper is a great tool for storing website passwords and financial information. Keeper is considered to be a Software as a Service (SaaS). This means that Keeper is a cloud computing vendor that offers all services from its servers in the cloud. Currently, the product is available on desktop and mobile and supports the Linux, MacOS, Windows and Android operating systems. The price range is based on the needs of the customer and encompasses student, family, personal, business and enterprise necessities.
8 – Sources
Ciampa, Mark.(2017). Security+ Guide To Network Security Fundamentals. Cengage: 20 Channel Center Street Boston, MA 02210 (Source 1)