01 November 2018
Passwords. They are the keys to our digital kingdoms. And these days most organisations will have security controls in place, such as 2 Factor Authentication, to complement the traditional password and help prevent credential stuffing attacks. (sidenote: did you know that 2FA deployed on your Exchange server can be effortlessly bypassed?)
But that doesn't mean we can lax the rules around passwords. They still play a huge part in protecting our data. According to the Verizon 2017 Data Breach Investigations Report 81% of hacking-related data breaches involve leveraging stolen and/or weak passwords.
And yet I see time and time again organisations enabling "complex" password composition rules and be done with it. But these rules don't go far enough. Passwords such as Passw0rd, London18 and Qwerty123 would meet most organisations complexity requirements, and would be amongst the first attempted in a brute-force attack. When conducting security audits I still regularly see passwords containing the company name or office address, i.e.Acme2018 or 17StationRoad.
This is why you should be auditing your passwords. They can provide invaluable insight into understanding the security awareness levels of your staff. A large number of users with weak and predictable passwords can suggest cultural issues, inadequate training, and even identify staff with low levels of engagement — something you can begin to fix.
The cracking process of a password audit is always going to be the largest limiting factor in terms of time. You don't need to crack all passwords - just the weak ones - and sometimes cracking on your local machine is sufficient enough. For larger organisations, it's easy enough to spin up an Amazon's AWS GPU instance. The p2.16xlarge with 16 GPUs, for example, can work through 130702 MILLION PASSWORDS PER SECOND. Even then it can take a few days to crack upwards of 90%.
You then need to analyse the passwords and determine if they are good or bad. And who wants to manually analyse 1000s of passwords, pick out interesting statistics and create various reports?
To make this process less painful, I have developed a tool called cracke-dit (“Cracked It”) – free and open-source for all – that directly extracts passwords from a Windows Domain Controller, analyse them, and output the data in various different formats. For example, you can produce a password cloud in seconds:
A sample output of cracke-dit can be found at the bottom of this post.
Passwords are scored based on complexity using Dropbox's zxcvbn algorithm, where 0 is a bad password and 4 is a good password. To get an idea on how unique users passwords are, they are also checked against Have I Been Pwned, using k-Anonymity to ensure passwords are kept secure.
You can then begin to develop training programmes to improve your staff's password hygiene and general security awareness.
One of the golden rules I've learned from my programming background is to never trust user input. The same applies to passwords and you should plan for them to be compromised at some point. Here are 5 things you should be doing:
- Ensure wherever a password is used externally, it has adequate security controls in place such as rate limiting and 2 Factor Authentication. Take into account other factors such as login time, geographical location, and IP address and deny login attempts if it falls outside of the user's usual pattern.
- Teach your users what a good password looks like (hint: a long passphrase). Why is it important? Show examples of good and bad passwords. Make sure this advice is embedded within your induction programme for new joiners.
- Gradually increase the minimum password length requirement to a minimum of 10, ideally 12, characters. Longer passwords increase entropy, which means they are (generally) more secure. Consider rolling out a password manager and adequate training to help with this.
- Audit passwords monthly (or at least quarterly) to identify training needs for users who are still struggling to create strong passwords. Reward staff who are creating better passwords.
- Stop forcing users to reset their password every X days. Yes, it reduces risk but at great cost. Research suggests this leads to users creating weaker passwords over time. Only force users to reset passwords if you believe they have been compromised.
cracke-dit sample output
cracke-dit report for acme.local
Local / Domain users: 4/191
Enabled / disabled users: 186/9
Computer accounts: 2 1.02%
Passwords cracked: 84/197 42.64%
Historic passwords: 0 0.00%
Only alphanumeric: 69 35.03%
Only digits: 0 0.00%
With 'special char': 15 7.61%
Top 10 Passwords (by use, score) Password Length Count Score Pwned Users Porsche2016 11 2 1 1 acme.local\alika.reamy, acme.local\charlene.pietro Bollocks35 10 2 1 0 acme.local\eden.theobald, acme.local\tami.priscella Amanda175 9 2 0 0 acme.local\bernelle.farman, acme.local\lanna.menken Rasputin2016 12 1 2 0 acme.local\colline.davon Dragoon2016 11 1 2 0 acme.local\kattie.duff Prophet2016 11 1 2 0 acme.local\sharia.ramey Bounce2016 10 1 2 0 acme.local\lauretta.cyn Groove2016 10 1 2 2 acme.local\shena.fernas Passwords2016 13 1 1 0 acme.local\cheslie.codd Godzilla2016 12 1 1 0 acme.local\lenna.mun
Top 10 Worst Passwords (by score, length) Password Length Count Score Pwned Users Admiral! 8 1 0 4 acme.local\kimberlyn.wilmott Beavis24 8 1 0 8 acme.local\leoine.kristi Bigmac44 8 1 0 8 acme.local\denna.bartel Briana48 8 1 0 0 acme.local\evangelin.adeline Casino45 8 1 0 13 acme.local\beverley.donaldson Chipper! 8 1 0 3 acme.local\janella.popelka College! 8 1 0 39 acme.local\minny.kinghorn Connie23! 8 1 0 11 acme.local\glynda.geller Daniel96 8 1 0 343 acme.local\marlie.maurilla Ddddddd6 8 1 0 6 acme.local\lanita.marte
Password length distribution
8: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ 32 (16.24%)
9: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ 25 (12.69%)
10: ▇▇▇▇▇▇▇▇▇▇▇▇▇▇▇ 15 (7.61%)
11: ▇▇▇▇▇▇▇ 7 (3.55%)
12: ▇▇▇▇ 4 (2.03%)
13: ▇ 1 (0.51%)