Why You Shouldn’t Know Your Own Passwords

Peter Cockshott
| 10/23/2019
Why You Shouldn’t Know Your Own Passwords

When it comes to securing their own accounts, most users just can’t be trusted. Since most users must enter their various passwords multiple times a day, they often create convenient passwords rather than secure ones. IT administrators are people, too, and therefore fall victim to the same patterns of insecure behavior. The solution to this problem is to curb that behavior and stop users from setting insecure passwords – but how?

The price for privilege

Privileged accounts exist in nearly every type of information system, including operating systems, databases, application management consoles, and mainframes. And along with every privileged account come corporate security requirements, which include creating a unique, complex password. A comprehensive security program can include seemingly solid security controls, such as rules for a minimum password length of eight characters, mandatory periodic rotations, and prompts to change shared passwords when users with knowledge no longer need access. While these requirements can decrease an organization’s susceptibility to compromise due to poor password practices, they can also make administrators’ jobs difficult and, in turn, lead to even riskier password practices.

Risky practices

Examples of such risky practices include repeated password usage across accounts, weak passphrases, keyboard walks, use of repeated and common dictionary words, and a high likelihood that users will write down their passwords. For example, the Ponemon Institute’s 2019 State of Password and Authentication Security Behaviors Report indicates that 51% of respondents reuse their passwords across business and personal accounts.

Because of users’ poor password practices, organizations face a difficult situation when they try to address the problem. Should they increase the likelihood that someone will practice risky password management, or should they decrease the amount of time it would take for an attacker to decipher password hashes?

Password problems

Despite frequent security awareness training, rigorous password requirements, and implementation of tools to prevent commonly used or weak passwords, poor password practices can (and do) persist. On any given penetration assessment or security assessment that contains some form of password guessing or password hash analysis, risky password practices are almost guaranteed to be considered a risk to the organization.

This problem isn’t just anecdotal. Research in Verizon’s 2017 Data Breach Investigations Report reveals that “81% of hacking-related breaches leveraged either stolen and/or weak passwords.” Why is that percentage so high? One reason is that when authenticating to various information systems, a weak hashing protocol might be used in the authentication process.

Weak hashing algorithms allow for individuals eavesdropping on the network to capture hashed credentials and perform brute-force attacks or consult dictionaries of commonly-used passphrases for hash comparison offline to gain access to passwords. When employees use simple word combinations or reasonably guessable passphrases, a 12-character password such as Summer2019!! – which technically meets all the traditional password requirements of a minimum of eight characters, a capital letter, a lowercase letter, a numeric character, and a special character – can be easily cracked by bad actors.

Cracking passwords

When malicious groups guess passwords, they don’t always begin iterating from “aaaaaaaaaaaa” through every possible combination. Instead, they start with dictionaries filled with passwords exposed from prior breaches and additional combinations tailored for the target, such as the target’s employer name, birthdate, favorite sports teams, and city, state, or country of residence. They also use lookup tables that already have the precomputed hashes and passwords to minimize the amount of time and resources needed to guess the correct password.

Unlike trying to password crack against an entire Microsoft Active Directory™ set of users, once a privileged account with desirable privileges has been identified, attackers need to try to crack only one password hash. After the privileged account is compromised in that information system, system administrators can do little to mitigate damage because these accounts can be used to access restricted information, disable security controls (if the organization lacks robust change management controls), and create and modify accounts. The question is clear: What can organizations do to reduce the likelihood of password compromise on privileged accounts?

Privileged account management solutions

Enter privileged account management (PAM) solutions. PAMs are password-vaulting tools designed to help monitor and provision access to the sensitive accounts on an organization’s network. Administrators are required to know one sufficiently complex password that can provide access to the privileged accounts needed for an individual’s day-to-day business functions.

PAMs offer account management capabilities such as Active Directory group-based access, unique logins for each user to access specific passwords, multifactor authentication for all access, audit and logging capabilities for monitoring access to the solution, password blacklisting options that prohibit users from configuring passwords that are reasonably guessable or exist in dictionaries of compromised passwords, and a centralized platform that reduces the number of difficult passwords administrators need to remember.

The benefit of using PAM solutions is that they prevent employees from knowing their own passwords by providing a unique, machine-generated password each time account access is needed. In addition, PAMs provide a clear audit trail that shows which administrators or privileged users checked out those credentials – allowing for personnel to more easily trace potentially malicious actions to identify specific insider threats.

Lastly, when administrators aren’t required to know their own passwords and these passwords are randomly generated each time they are checked out, the passwords can be configured to be lengthy (32 or more characters) and can help avoid common mistakes that users are prone to make. In the end, administrators need to know and remember only one sufficiently complex master password and use at least two forms of multifactor authentication.

Centralized management

When administrators are required to remember only one password and each password can be centrally enforced to make sure consistent password complexity requirements are followed, they are better equipped to control those passwords. To make sure these keys to the kingdom are protected, administrators should make the passwords conform to the following requirements:

  • Passwords should be 32 or more characters in length.
  • Passwords should be rotated once (every 365 days) or twice a year (180 days).
  • Generation of privileged account passwords should be machine assisted to make sure they avoid inherent human weaknesses, such as patterns, easily guessable phrases, and iterations of prior passwords.
  • Weak, commonly used, or reasonably guessable passwords should appear on a blacklist to reduce the susceptibility to brute-force attacks.

Additional controls should be implemented in conjunction with these stricter requirements as well. Multifactor authentication – “something you know,” “something you are,” and “something you have” – helps support stronger password creation. In addition, implementing a robust process for the approval of access to privileged account passwords (such as separation of approval duties, documented approval forms, and reviews of said approvals on a regular basis) can boost the effectiveness of a PAM solution.

No silver bullet

Despite the additional security a privileged account management solution can provide to an organization, it’s not the silver bullet that will secure an environment. A holistic, defense-in-depth strategy is required to facilitate security best practices including, but not limited to, implementing periodic risk assessments, restricting local administrator capabilities, managing vendor and third-party risks, dealing with pushback from users, and reducing the effectiveness of phishing attacks through security awareness training.

Local accounts and privilege are often neglected in discussions of privileged account management and risk. Organizations should disable local administrator privileges for users, and for break-glass local administrator accounts, they should consider implementing the Microsoft Local Administrator Password Solution™ (LAPS). LAPS is an effective password management solution for accounts with the caveat that it can manage only one local account across Windows devices, typically the RID 500 (built-in administrator) account. As such, a PAM is advised in conjunction with LAPS as organizations often have multiple local accounts on a subset (if not all) of Windows devices.

Of the risks to privileged account management, vendor and other third parties’ access to accounts stands out as a top risk, especially in recent years. Vendor access to accounts can be a loophole to circumvent an organization’s password controls, so vendors must conform their passwords to the same standards of the organization they serve to make sure that they are not increasing the organization’s residual risk. If vendors don’t comply, then a risk acceptance process for the account(s) should be executed and documented, and mitigating controls or monitoring put in place, including (but not limited to):

  • Limiting which nodes the account is allowed to log on to
  • Limiting the types of logons (such as interactive, service, or batch) the account can perform
  • Monitoring the account for logons outside of typical time frames, such as batch jobs or scheduled tasks
  • Monitoring the rate of use over a period of time to identify discrepancies

Dealing with pushback

Pushback from apprehensive administrators and other privileged users is common when implementing stringent security controls. Unfortunately, this apprehension often turns to frustration with the administrators who seem to be making life harder for ostensibly only marginal increases in security.

However, this way of thinking is dangerous and jeopardizes an organization’s information security principles. Security and accessibility are always a challenging balancing act, but if the broader user base and nontechnical administration staff want to employ weaker-than-configurable security controls, a strong business justification with quantifiable metrics should be presented to document the risk.

A matter of time

Security professionals around the globe acknowledge that it is not if but when any given organization will experience an incident. When malicious parties breach an organization and attempt to gain access to administrative account credentials, the complexity of the administrative passwords will be the only thing that can buy that organization time. Employing strict password policies can help reduce the likelihood that an organization’s most common threat vector is exploited – and that is well worth the initial discomfort.

So, how much time does your organization have before bad actors crack your admin passwords?

 

Microsoft, Microsoft Active Directory, and Microsoft Local Administrator Password Solution are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries.