If you work in marketing you are probably walking around telling everyone that we all live in a ZERO trust era, that PASSWORDS are DEAD! Ransomware is DEAD and AI is the FUTURE and we should be doing that NOW!
Meanwhile back on CYBER PLANET EARTH, most organisation do NOT have or need AI, they use passwords and well they passwords they use are shockingly bad! Howe do I know this? I do password audits and security testing, but I also look at breach data! (and we have other people publish password audit reports etc.)
Now obviously there’s things people can do to help in this space, we can deploy additional controls like MFA, Monitoring, breach monitoring, password hash audits, prevention systems, better password policies, and we can try training people (but seriously training people to not have weak passwords is sort of like saying to a kid, don’t touch the fire it’s hot, they still do it!).
So what kind of weak passwords do I see on a regular basis? Well they look at bit like this: (this is not exhaustive!)
Commonly bad/weak/insecure password themes:
> the town/city name of the office locations
> the industry vertical
> building names of the org
> days of week
> Month
> Season
> Names
> Football/Sports teams
> Password and variants of that
> Common dictionary words
Now to make them comply with the “typical” password policies (must contain UPPER, LOWERCASE, NUMBERS and SPECIAL CHARS) people then do things like this:
Add !, #, !!, and YEAR (either XX or XXXX) (commonly on the end) and then:
- suffix numbers 1-X
- Prefix numbers
- Do some character substitution.
- Make the first letter Capital1!
And here we have it, with this knowledge we will normally crack a large range of passwords without spending too much electricity.
and we haven’t even touched on using OSINT, dumping data, scraping public website, reviews, adding in target and person specific targeting! So much can be done to ARM yourself as an attacker to get at those JUICY passwords!
Defending
If you want to defend against modern authentication attacks you will need MODERN thinking…
- Can you defend against a brute force attack (vertical)?
- Can you defend against a lows and slow horizontal credential guessing/stuffing attack that uses rotating proxies and “normal” user agents?
I think we need a dedicated defence blog about these! The second one is commonly not well defended against and is also MUCH harder to defend against! Having not CRAP passwords goes a long way in the defence realm (but that’s not a silver bullet, you need a layered defence!)
As always:
- Strong Authentication Controls
- MFA
- Monitoring
- Audits
- Security Testing
- Training
Defending is about having a holistic approach!
Also it’s worth checking out the NCSC UK Guidance about password policies: