A password can refer to any string of characters or secret to authenticate an authorized user to a resource. Passwords are typically paired with a username or other mechanism to provide proof of identity.
Credentials are involved in most breaches today. Forrester Research has estimated that compromised privileged credentials are involved in about 80% of breaches. When a compromised account has privileges, the threat actor can easily circumvent other security controls, perform lateral movement, and crack other passwords. This is why highly privileged credentials are the most important of all credentials to protect.
Often, a threat actor will first target a systems administrator since their credentials may have privileges to directly access sensitive data and systems. Such privileged credentials enable the cybercriminal to move laterally while arousing little or no suspicion. Once a threat actor has compromised credentials, everything privileged to that account is now fair game for the attacker.
Attackers seek to learn basic information about password complexity, such as minimum and maximum password length, as well as password complexity. For example, does the password have upper-case and lower-case letters, numbers, symbols, or a combination? Attackers are also interested in learning about restrictions on the passwords. These parameters could be:
In this section, we will look at common password cracking techniques. Some of these techniques may overlap in tools and methodologies. Attackers often blend multiple, complimentary tactics to improve their chances of success.
If the threat actor knows the password length and complexity requirements of the target account, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements.
A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary attack.
Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the fastest modern systems, with a password of eight characters or more.
If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.
With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to perform attacks is determined by the time it takes to generate all possible password permutations. Then, the response time of the target system is factored in.
Credential stuffing is an automated hacking technique that utilizes stolen credentials. These credentials are comprised of lists of usernames, email addresses, and passwords. The technique generally leverages automation to submit login requests directed against an application and to capture successful login attempts for future exploitation.
Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication based on previously discovered credentials using customized tools. This approach can entail launching millions of attempts to determine where a user potentially reused their credentials on another website or application.
Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations.
The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts.
Names of pets, children, spouse, addresses, birthdays, hobbies, friends are the most valuable information available to the threat actors. Factor in favorite movies, TV shows, authors, bands, actors, and more, and most social media accounts become an information gold-mine.
Unfortunately, there is a common risk in resetting passwords that makes password resets targets for threat actors. Resetting a password is the act of a forced password change by someone else, such as from the service desk or an application owner. This change is not initiated by an end user.
Anytime a password is reset, there is an implicit acknowledgment that the old password is at risk and needs to change. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password poses a risk until the password is changed by the end user. Of course, sometimes the end user neglects to change the password at all.
Changing passwords frequently is a security best practice for privileged accounts (as opposed to personal or consumer accounts). However, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor owning your account and a legitimate password request.
Password eavesdropping refers to a password exposure occurring because of being overheard. Password eavesdropping may be either inadvertent or intentional and can encompass both voice-based and digital eavesdropping.
In the early days of computing, you needed to physically connect to the machine you were accessing. The systems you were authenticating to were also running locally. Now, we regularly authenticate into systems on the other side of the world, and increasingly, that are not even our systems. Our passwords are transmitted electronically through many systems to reach their destination, and absent proper encryption and other protections, may be vulnerable to eavesdropping.
Shoulder surfing enables a threat actor to gain knowledge of credentials through observation. This includes observing passwords, pins, and swipe patterns as they are being entered, or even a pen scribbling a password on a sticky note.
The concept is simple. A threat actor physically observes or uses an electronic device like a camera to collect passwords and use them for an attack. This is why, when using an ATM, it's recommended to shield the entry of your PIN on a keypad. This prevents a nearby threat actor from shoulder surfing your PIN.
While password lists, hash tables, and rainbow tables are available on the dark web, users sometimes sell their own credentials. Users with access to multiple individual and/or shared credentials may sell them in bulk.
When an attacker manages to gain access to a system or website, they often aspire to steal the database containing the usernames and passwords for everyone who accesses it. Stealing a database provides at least three big benefits regarding password stealing:
A PtH attack exploits an implementation weakness in the authentication protocol. The password hash remains static for every session until the password itself changes. PtH can be performed against almost any server or service accepting LM or NTLM authentication, including Windows, Unix, Linux, or another operating system.
Malware may scrape memory for password hashes, making any active running user, application, service, or process a potential target. Once obtained, it uses command and control or other automation for additional lateral movement or data exfiltration.
While PtH attacks are more common on Windows systems, they can also exploit Unix and Linux endpoints. Modern systems can defend against PtH attacks in a variety of ways. However, changing the password frequently or using one-time passwords (OTPs) is a good defense to keep the hash different between the sessions. Password management solutions that can rotate passwords frequently or customize the security token are an effective defense against this technique.
Today, companies frequently engage white hat hackers and penetration testers to increase the resiliency of their security networks, including password cracking. Subsequently, the availability and development of cracking software has increased. Modern computer forensics and litigation support software also includes password cracking functionality. The most sophisticated cracking software will incorporate a mixture of cracking strategies to maximize productivity.
Some password cracking techniques rely on system vulnerabilities or gaining access to a privileged account to achieve lateral movement and amass other passwords. However, most cracking relies on inadequate password hygiene and absence of appropriate credential management tools.
When Game of Thrones was first screening, "dragon" rose quickly to become one of the more commonly used passwords. People frequently use the names of pets, children, spouse, and streets, as well as their birthdates.
Social media sites regularly encourage people to share the name of their favorite pet or share details from their childhood. Brilliant mechanisms to help build the lists of predictive passwords used in attacks!
The existence of embedded credentials presents several risks. Sometimes, credentials are embedded during development for easy access, then forgotten and published into production. Pieces of code may be shared on GitHub or another platform for collaboration, but with sensitive passwords embedded within. If an attacker gains access to an endpoint or system, they may be able to scan for plain test passwords. This grants them access to sensitive assets.
aa06259810