How hackers guess passwords, and how to stop them

Three phenomena often enable us to take over regular accounts, service accounts, and even administrator accounts, as a first step towards compromising the complete Windows domain:

1. Regular users, but also system administrators, often choose easily predictable passwords
2. Two-factor authentication on accounts or login portals is often missing
3. Passwords are often shared among users in unencrypted Word or Excel files

Predictable passwords

A large statistical study conducted by Rapid7 has shown that many people choose from three categories to create a password:

• A variation on the word password or welcome, such as Password123 or Welcome01!
• Season + year, for example Summer2019 or Winter2020
• A variation on the name or location of the company, for example HackDefense01! or Leiden123

Based on this research we create a list of passwords that might be in use at the company we are testing, and we will try these passwords on all accounts. This is called a password spray attack. We will either look for a login mechanism that does not block accounts after a number of incorrect login attempts, or we look at the Windows domain’s password policy. By default, this states that if a user submits an incorrect password five times in 30 minutes, they will be blocked for 30 minutes. We use one of those attempts and try one of the passwords from our list every 30 minutes, leaving legitimate users with four login attempts every 30 minutes; we don’t want to lock anybody out. Unfortunately, we almost always succeed in taking over multiple accounts with passwords such as Welcome123! or Summer2020.

One solution to this is a regular check on the list of encrypted Windows passwords in the domain for easily guessed passwords such as this. Services to do this are available, including from us.

Lack of two-factor authentication

The next phenomenon that often makes it easy for us to break in digitally is the lack of two-factor authentication. Authentication factors can be:

• something you have (Google authenticator on your phone or a security token) 
• something you know (a password or pin code) 
• something you are (proven with a fingerprint or iris scan) 
• somewhere you are (a location)

Traditional password authentication only matches one of those factors.

Two-factor authentication requires two of the above to authenticate. At HackDefense we like to use YubiKeys which we use in combination with a password. Login? Sure, what’s your password and can you put the YubiKey in a USB port? 

You can make it very difficult for an attacker by setting up two-factor everywhere. If a password is leaked somewhere, this is not immediately a problem because more than a password is required to login.

Passwords that are not stored securely

The third phenomenon, passwords in (shared) Excel sheets or Word documents, is something we see in basically every test. Sometimes we find these types of files on network drives, other times in somebody’s Documents folder or even on users’ desktops. What is quite poignant for us to see is that these types of files often contain more than just passwords for work, but also for the lottery, or internet banking, for example.

We also regularly encounter passwords within Active Directory user objects, a place that an attacker or malicious user with a little technical ingenuity can easily access. See our earlier blog on this topic.

Increasingly, organisations offer password managers to users, but not many users use them. A shame in our view, because it is THE solution for secure password management.

Password managers

Not only can a password manager help you come up with long and complex passwords, it can store the generated passwords in a secure way in a digital vault. Today I only know a few of my passwords from the top of my head; the password to log in to my workplace and the password with which I open my password manager, the rest is in the manager itself. When I need to create a new account somewhere, I ask the password manager to come up with a 64-character long password that consists of lowercase letters, uppercase letters, numbers, and special punctuation marks. The password is not even shown to me by the software; I can copy the password to the clipboard and then paste it in the fields where the password is created and verified.

Password managers come in many shapes and sizes. At HackDefense we use KeePassX that only stores passwords locally. As a security company we are of course just a bit more paranoid than most. More popular password managers such as LastPass and 1password save passwords to the cloud, can also be used as a browser plug-in and work on more platforms than just the computer, so you can use the same passwords from a phone or tablet as well.

Our recommendation

What do we recommend specifically? Our recommendation is almost in line with NIST standard 800 – 63:

• Require passwords of at least 15 characters long. This is long, but it prevents users from choosing passwords that are too easy to guess.
• If this is not feasible, conduct regular tests to find accounts with passwords that are too easily guessed.
• Require the use of a password manager to securely manage and generate passwords for other systems and applications.
• Allow users to set long passwords, for example 64 characters. 
• Support the full palette of ASCII characters (Latin letters, numbers, punctuation marks.
• Regularly search network drives for passwords. A simple search in Windows Explorer for the word ​“passwords” is often enough to find documents users have created that contain sensitive passwords, unintentionally available to all users. 

In the end, this means users have to remember only two relatively long passwords: one for their Windows account, and one for their password manager. We recommend informing users that they can also use passphrases to achieve this: many people don’t know that In 2019, we went on holiday to Greece! is a valid password. But it’s very strong, and not that difficult to remember.