How to plan a password security project

Sponsored Weak password security is a torment that afflicts networks in so many ways. On the user side is the certainty of hopeless and reused passwords, while on the attacker’s side are a gamut of techniques for targeting them such as phishing, credential stuffing, brute forcing, and spotting backdoors to hidden applications such as RDP, SSH, and shadow IT.

Formulating a credible plan to cope with all this is a big job. Overhauling an organisation’s password security design requires investment and that implies a properly thought out rationale to present to budget holders. How should security pros go about creating such a thing?

The first job is to explain the threats and the risk of doing nothing. Fortunately, there’s no shortage of evidence, starting with the effect weak password management is having on other organisations. The steady increase in the number and diversity of attacks is hard to miss. According to Verizon’s industry-standard 2020 Data Breach Investigations Report (DBIR), of the 3,950 confirmed data breaches it analysed from the previous year over 80 per cent involved stolen or brute-forced credentials.

For cautionary tales, take your pick. In early 2020, Marriot International confirmed hackers had used the logins of two franchise employees to pilfer the account data of up to 5.2 million guests, an incident that shows how even small compromises can lead to outsize problems. Then there’s the whole issue of the numerous companies caught out by the SamSam ransomware which specialises in brute-forcing Microsoft RDP passwords using simple tools such as nlbrute. According to Sophos, that netted the gang behind it at least $6 million in ransoms to the middle of 2018. Almost all ransomware campaigns use the same password hacking technique.

Tooled up

Organisations must next take on the ugly job of finding their password failures. A security company wedded to the back to basics approach on this is password and authentication specialist Specops, which recommends starting with an audit using the company’s Password Auditor, a Windows Active Directory (AD) tool which can be downloaded free of charge to generate a risk score report.

“You need to prove to the budget holder that you’ve got a problem,” says Darren James, Specops’ product specialist. Without making any changes, the tool analyses the AD password policies it finds, checking a range of attributes such as length, password rules such as minimum length, lockout policy, password age, how many have expired, and how a policy compares to industry best practice. It can also document the Fine-Grained Password Policies (FGPP) feature introduced with Windows Server 2008 to allow admins to set different password policies within the same domain.

Most usefully of all, it compares the user password hashes it finds to a Specops database containing 738 million password hashes drawn from an even larger collection the company has gathered from leaked passwords on the Internet.

“It will tell you the names of all of your users with matching hashes. That tends to light a large fire. With that information you can show the person with the purse strings how big the problem is.” In many cases, these passwords are simply predictable passwords everyone chooses, hence their appearance in the database. That’s a simple upgrade from day one of any project that allows admins to quickly reach out to affected users and get them to change their easily guessed passwords to something stronger. There should be no escaping this. “You can run the report as many times you like,” says James.

The best customer scan he’d ever seen for a Password Auditor first scan was a compromise rate of 25 per cent while the worst was 82 per cent. “Using Password Auditor, we find that zero users eventually show up.”

That said, sizing the problem is the easy bit. The next and more complex stage is to stop users from setting bad passwords in the first place, which requires devising new policies or overhauling obsolete rules. Here you hit two problems – inventing new policies that don’t simply make life incredibly hard for users and struggling with the limitations of implementing new policies in Windows AD itself.

“What you have natively in Windows directory have never been good enough,” Say James, lamenting the inadequacy of mandating passwords of only eight characters drawn from only three of four character types accessible on keyboards [upper case, lower case, digits, special characters]. “Password1! is a perfectly secure password according to those complexity rules. You can tell people what the password policy is but using standard AD tools there is zero way of enforcing it.”

Obviously, setting longer passwords is better - 15 characters of more ramps up complexity an order of magnitude and induces Windows AD to use more secure hashing - ideally with high entropy that uses as many character types as possible. But asking users to remember a password built from such involved rules is likely to be self-defeating. Instead, Specops recommends moving from passwords to passphrases made up of at least three random words. According to James, there will be easier for users to remember and far less likely to be written down.

“You also need to get across to people that they shouldn’t reuse those passphrases. If they start setting the same passphrase on their Facebook account, it only takes one of those other sites to get compromised and it’s out there in the open. Users will also take as many shortcuts as they can. Maytheforcebewithyou is on our database of leaked passwords.”

Despite the UK’s NCSC advising against enforcing regular expiry, James recommends organisations still set a basic expiry on both passwords and passphrases to counter a slide into re-use. How long this period should be will depend on the privileges attached to that user balanced with the disruption likely to be caused by regular password changes. A trick James recommends here is to reward users for setting longer or more complex passphrases with expiries of up to a year.

Stuff and spray

One pitfall is stopping users from simply resetting the same passphrase with only minor changes. This is where organisations need sophisticated tools that allow them to impose more complex rules. The Specops approach in its Password Policy product is to use regular expressions (regex) to create an infinite variety of rules. For example, a basic regex might demand that a password or phrase uses certain character sets, that the passphrases have spaces or dots between words, that words shouldn’t be repeated, and shouldn’t be predictable (so no one.two.three.four.five or mycompany.password1).

“Companies need to come up with a definition of what a secure passphrase should be as long as they can exceed the 15-character minimum,” argues James.

The ultimate measure of any new password policy is how well it will cope with credential stuffing, spraying and brute forcing attacks. There are also blind spots to watch out for such as weak password reset procedures relying on parameters such as questions attackers can beat with a little social media research. The solution to guard against those is to implement at least dual factor authentication.

“With everyone working from home these days, they are logging in with unusual devices. These will be running in an uncontrolled environment and network. You have a lot more risk and that makes multi-factor authentication a must.”

In this kind of external environment, it’s clear that a password should never be a single factor. The destiny of even the best password policy is that a second factor will eventually be needed. Could organisations solve their problems by abandoning passwords altogether and turning to other factors?

In a rosy future, that might lead to the passwordless network, but until then organisations must continue to use passwords for lots of perfectly good reasons, including their familiarity to end users, the need to integrate legacy systems, and the sheer cost of starting from scratch with something new.

“The death of the password has been predicted for the last 20 years yet we’re still having this conversation today. The password remains the simplest and cheapest way a programmer can identify a user.”

Moving to smartphone-based biometrics or Windows Hello for Business is desirable if organisations are willing to invest in the hardware but not an excuse for ignoring the fundamental role of the password itself. In theory, organisations could move to MFA-enabled web apps, but the reality of older applications built around passwords means that the day the last password is used could still be decades in the future.

“You’d need to migrate all of this legacy data from those platforms to MFA platforms,” says James.

With remote working increasingly the norm, 2020 could be the best moment to take on password reform. The risks have grown, making users and organisations more open to change.

“At last, security projects designed to make these environments more secure are meeting a lot less resistance.”

Sponsored by Specops