Who Can Remember $877yaijfn&3yf?
It’s time to discuss everyone’s favorite topic: Passwords. Not only do we need to discuss passwords, we should also cover password policies while we are at it. As a service provider we are often asked questions like “What makes a good password policy?” Considering that a password policy can make or break both your account as well as your organization, it is imperative to address this from the standpoint of true security. As we progress through this article, we will lay out what an attacker will attempt and how implementing a strong password policy will work to slow down their attempts to penetrate the network or stop them all together.
First and foremost, password length. Conventional password rules recommend that we use an 8-character (or less) passwords. If we are operating under these recommendations, you’re already at risk. Tools that are widely available for download on the internet, such as Hashcat, can break an 8-character password in less than 60 seconds. The use of short, easily guessable passwords can lead to a common attack where an attacker will attempt to password guess your Outlook Web Access with known patterns. For example, as we enter the days of Summer many users gear their passwords towards the season. Attackers are wise to this and have been identified by using passwords like:
With that attack permanently cemented in our brains now, what is a good password length? Typically, it is recommended that password policies require at least 14-characters, as it can take thousands of years to crack, but who can remember $877yaijfn&3yf? Simply put: nobody.
We recommend the use of passphrases for your logons. Pick a topic, like movie quotes, and use your favorite movie lines. For example, a good password is: !No Luke I Am Your Father! That’s a 26-character password that is secure and easy to remember. Users can use everything from comic book heroes, motorcycle facts, to pop culture quotes. The subject of the passphrase does not really matter, the part that matters is the use of passphrases which makes long password combinations easier to remember and easier to type. Not to mention, if using your favorite movies, it will make it easier to change passwords when you are referencing your favorite movie quotes.
Now that we have addressed password length, the next question is always about how frequently passwords should change. Recent changes in NIST’s stances on this topic have definitely muddied the waters on this topic. NIST has shifted to recommending that users should not have to regularly change their password if they are using passphrases, however if an attacker has gained access to your system it is fairly easy to get those aged credentials to work. This is why we encourage our customers to continue to regularly change their passwords on a 60 – 90-day interval.
For users, and especially network administrators, managing the ever-increasing list of credentials is a daunting task. For most users, a list managed in a notebook and stored “securely” in the desk drawer is their way of tackling this nuisance. Sadly, this is a better option than the cubicle wall covered in Post-It notes or the unprotected Excel workbook. We recommend the use of a secure password vault to store your sensitive credentials and associated challenge question answers. If your organization already has a password vault that you could use, start using it immediately because the spreadsheet called Passwords.xlsx is an easy target for an attacker to confiscate and even easier to bust through any password protection a user may have implemented on it.
A good option for a password vault is an application called KeePass. It encrypts all of your passwords in a single file that can be backed up to a network share for recovery in the event of a hard drive failure in addition to being able to sync the file to Google Drive for access on a mobile phone when away from the office. There are many other products in the password vault space, KeePass is just one that our office implements because of its ease of use and price point (hint: it’s free).
The use of a password vault can help in keeping users from reusing password. Most password vaults have a way to suggest passwords and can even alter their requirements for the suggested passwords based on user requirements. Continual education of the risks associated with the reuse of passwords can also help in stopping this bad practice of “one password for everything” mentality that is all too common.
To ensure that your employees are adopting the use of password vaults, like KeePass, one thing that we have done in the past is employ the cleaning service to help search for lingering Post-It notes by offering them $5 for every password they find. One time we used this approach, the cleaning staff found 240 passwords and cost around $1,200.
Attention: Network Admins
For years we have been told that you must have two accounts: one for everyday use, and one for domain admin use. Those days are officially gone. With attack tools, like Mimikatz, an attacker has the ability to steal administrative credentials from a compromised machine’s memory that were last used up to 8 hours ago.
In order to limit the attack landscape, administrators should be shifting towards a tiered administrative account structure that creates secure perimeters around groups of workstations and servers. The first phase is creating an administrative account explicitly for workstations and ultimately has no rights to even log onto servers. From there you will want to group servers by functional role (domain controllers, mail servers, file servers, SQL servers, etc.), feel free to be as detailed as necessary when creating these groups. As you create these functional groups, you will then create a separate set of administrative credentials for each of these groups. Finally, you will restrict your domain administrator to only be able to log on to your domain controllers. Going forward, each administrator will have a regular set of credentials and then a series of administrative credentials that are only to be used for their specifically targeted machines.
Once fully implemented, you will have effectively removed an attacker’s ability to escalate to admin-level privileges.
Passwords are the key to keep both your users and the network safe from unauthorized access. Following these simple, easy to use recommendations you can greatly reduce your risk of compromise with minimal effort from the users and the network administrators.