Unveiling the Tactics: How Hackers Exploit Compromised Passwords, and How to protect
There are dozens, if not hundreds, of possible causes behind leaked passwords. Sometimes they’re the result of a simple mistake. Other times they’re the result of an intricate scheme. We’ll look at a few of the most common causes below.
Weak passwords, password reuse and multiple accounts using the same passwords
One of the most common causes of compromised passwords is the use of weak passwords that are easy to guess. Simple passwords, such as “A123456$” or “Password1” or “Password$1”, are effortless for attackers to crack though by AD may consider it a strong password.
Additionally, reusing passwords across multiple accounts significantly elevates the risk. If one account is breached, all accounts using the same password are potentially compromised.
But, I am within an Enterprise, should I worry? Yes, the above listed mistakes are prevalent in enterprises. Let us first understand how the hackers can get credentials.
Understanding the mechanisms and techniques behind password compromises is essential for effective protection. The sophistication and variety of these breaches highlight the need for robust security measures and informed user practices. By learning about the risks, individuals and organizations alike can better anticipate and mitigate the risks.
Are users using password that are already compromised
Over 2 Billion such passwords along with their “password hash” or encrypted password strings have been breached. Hackers have access to these passwords in clear text, breaching these types of passwords is very simple. Here is a link to complete database https://downloads.pwnedpasswords.com/passwords/pwned-passwords-ntlm-ordered-by-hash-v8.7z
By using the above database, attackers can quickly find a password if its hashed value is known, circumventing the need to try every possible password combination.
Password cracking
Password cracking is a method used by cybercriminals to gain unauthorized access to accounts by essentially “guessing” passwords.
Brute force attacks
Brute force attacks involve systematically checking all possible password combinations until the correct one is found. This method is simple, but can be effective against weak passwords. The time it takes to crack a password using brute force depends on its complexity and length.
Dictionary attacks
Dictionary attacks use a list of common words and phrases to guess passwords. Unlike brute force attacks that try every combination, dictionary attacks rely on the likelihood that someone is using common words or simple variations of them as their password.
Let us look at what is a strong password
As per Microsoft Active Directory “Strong” password policy, any user password meeting the below requirement has a strong password.
Password must contain three of the following:
- Numeric numbers
- Upper case letters
- Lower case letters
- Special characters
Additionally:
- new password can’t be same as last 10-15 passwords
- Minimum password size is 8 characters
Now just enforcing the above Microsoft Active Directory password policy will not guarantee users are using strong passwords. A user can easily set a password like “Password1”, it will pass the Microsoft Active Directory password policy because it meets the above policy requirements. However, this password is very weak. Many such passwords can easily pass the Active Directory password policy. Users who are using these type of passwords become prime target of hacks. As an IT admin it is impossible for you to know who is using what passwords!
This is what you get out of box from Microsoft.
Why is this critical now?
Over 2 Billion such passwords along with their “password hash” or encrypted password strings have been breached. Hackers have access to these passwords in clear text, breaching these types of passwords is very simple. Here is a link to complete database https://downloads.pwnedpasswords.com/passwords/pwned-passwords-ntlm-ordered-by-hash-v8.7z
Solution:
CionSystems password protection service (https://cionsystems.com/register/ )
Stop users from using breached passwords. We find 90% of enterprises users are still using these passwords. Don’t become another hack statistic. Strengthen and enforce “real” strong password policies. The default Active Directory password complexity requirements are not sufficient. Using CionSystems’ ADGuardian – Password Protector. Take control of what a good password means to enterprise.
- Easily adopt the NIST password recommendations in part, or in full
- Block over 2Billion compromised passwords from being used.
- Audit Active Directory for compromised passwords, automatically require password change from users for compromised passwords immediately
- Stop duplicate passwords, quickly figure out who are using same passwords
- Enforce stronger password policies for privilege and service accounts
- Require password changes for service accounts that may not have been changed for a long time
- Block passwords based on certain words
- Define complexity policies based on length
- Regular expression-based policies
- Points-based complexity and more..
Easily adopt the following policies and combinations for the organization
- Passwords must match a specified expression
- Passwords must meet specified number of complexity points
- Enable length-based complexity rules
- Minimum password length
- Reject passwords that contains user account name
- Reject passwords that contains user display name
- Reject passwords found in the compromised password store
- Reject normalized passwords found in the compromised password store
- Reject normalized passwords found in the banned word store
- Passwords must not match a specified expression
What is at Stake for Enterprises
Unauthorized access to Enterprise Assets
The most immediate consequence of a compromised password is unauthorized access. With this access, hackers can misuse personal accounts, corporate systems, or sensitive databases for malicious activities.
Data theft
Compromised passwords often lead to general data theft, including personal information, confidential business data, and proprietary intellectual property. This can have severe privacy implications for individuals and competitive disadvantages for businesses.
Financial loss
Financial loss is a significant risk associated with compromised passwords. These can range from unauthorized purchases and transactions to more extensive financial frauds, impacting organizations.