Businesses, by their very nature, are attracted to standards. Predictable practices bring scale and efficiency to everyday work. While there are many areas of corporate work where predictability is a great benefit – financial forecasting, for example – there are some areas where it’s less desirable. Not least, when it comes to password security.
Any new starter in an enterprise role knows the drill – on day one IT shows up to help fulfil their technological needs and set up the requisite password controls. These passwords invariably (more on that later) contain a mixture of letters and numbers that the new employee carefully jots down and sticks to their monitor or, if they’re in any way security conscious, puts in the drawer. The same password formula is then applied at intermittent intervals when that employee is prompted to update their password, no doubt while dashing meeting to meeting or rushing on a deadline.
Most employees have some inkling of the damage that could be caused in the event of a password breach. The prevailing wisdom is that as long as your password is greater than eight characters, combining letters and numbers, and is kept hidden from plain sight then it’s immune from compromise. This judgement grossly underestimates the decipherment resources that cyber hackers wield.
To put conventional password generation and security procedures to the test, we conducted a series of experiments. Using our proprietary tool Ruler, we set out to see whether we could exploit Outlook Web Access (OWA) for UK business domains using password information found on the web. While our hypothesis was that typical password protection practices may be on the weaker side, the findings surprised even our most seasoned security experts.
Thou shalt not pass
Through our initial experiment, we were able to show how we could turn an OWA password compromise into full remote access to the network. Matching publicly-available data breach dump information (i.e. email and password combinations sourced online from prior breaches) against UK business’ remote access mail servers, we were able to ascertain that around 0.6% of domains are vulnerable to breach. This puts around 2,800 businesses at risk of compromise just from the data used in our study.
The most worrying part is not just the scale of the problem, which could have significant knock-on effects for that business’s customers and other stakeholders, but also the relative ease at which this could be achieved. The lack of attention OWA receives among IT security teams due to its perceived lack of value makes it the perfect entry for cybercriminals seeking to exploit easy entry. Once accessed, the hacker is able to gain a number of network privileges that heighten the causes for concern.
Cracking the code
Further, upon deeper analysis of the public dump passwords, we found disturbing evidence that even the password formulations that would be deemed sufficient according to standard industry practices are insufficient to protect company assets. Our second experiment involved running a cracking engine on a purpose-built cracking rig for eight weeks against approximately 500,000 cryptographically secured password hashes. Disturbingly, this exercise showed that 85% of passwords could be cracked, revealing a wealth of information about the passwords themselves and the difficulty level they present in deterring attackers. The time taken to crack the passwords was also noteworthy, ranging from two days for those of eight characters in length, to less than two minutes for those of six characters.
Once cracked, we could analyse the composition of those passwords. We found that length typically mattered less than the format. Interestingly, we found that of the cracked passwords, 1 in 10 contained a calendar month, 3% contained a day of the week, 1 in 5 contained a calendar year, and 4 in 5 ended with a digit (most commonly 1, 123 or 17). These tests proved that it’s not just ‘pass1234’ that’s prone to breach, but many passwords that adhere to the common formats employed by most IT departments and employee behaviours.
These findings have two major implications. Firstly, that once a hacker gets hold of an employee’s password, even from a 3rd party system, they will be able to try that same password over different systems in the expectation that the employee uses a single password for everything. Worse, once a hacker has worked out the password format your organisation uses, they are armed with a repeatable template they can use for follow-up attacks.
Fortifying your defences
These experiments offer a wakeup call on the serious nature of password security. What’s often treated as routine or even an inconvenience by many employees and IT teams alike can be a matter of major organisational security when faced with the tools and tactics of today’s cybercriminals. This is most especially true when considering perimeter or Internet-facing systems like webmail, cloud-based services, remote desktop services and VPNs.
To address this problem, we recommend avoiding standard words and numbers for passwords and encouraging employees to use passphrases instead. These are more difficult for attackers to crack due to their unpredictable nature and easier for employees to remember and use on mobile devices. Furthermore, passwords alone will not suffice to protect web environments, so we need to seriously consider additional layers of protection such as mandatory two-factor authentication (2FA) requirements on any password-protected system exposed to the Internet.