Why are organisations at risk of password leaks and password dictionary attacks?
(Last updated on December 6, 2018)
Passwords attacks have become common and a mainstay of hackers trying to breach an organisation’s sensitive data. Brute force attacks, especially those that rely on a password dictionary, continue to be successful for two simple reasons:
- Many organisations do not use multi-factor authentication, making the password the “key to the kingdom”
- People reuse their passwords, because they have too many to remember and manage securely
With a single breach opening the door to other systems, commonly via a dictionary attack, organisations need to stop users from reusing vulnerable passwords. It is time to move away from policies that encourage users to reuse their passwords, and instead provide tools that help users choose better passwords.
Dictionary attacks are successful because they take advantage of the weakest link: the humans. A password dictionary attack is a method of breaking into a system by entering every word, from a database of commonly used words, as a password. The dictionary is composed of common names and words, popular keyboard patterns and character substitutions (P@ssw0rd2018!), and lists of leaked passwords that are available online.
As long as users continue to use common and predictable passwords, dictionary attacks will continue to work. However, hackers are not the only ones who can take advantage of a password predictability. The best protection against a dictionary attack is using a password dictionary or blacklist during the password creation process. This means checking a new password against the blacklist, and preventing users from selecting passwords that are susceptible to attacks.
In this blog, we will investigate password blacklisting guidelines from compliance organisations. We will also examine the benefits of blacklisting leaked password and how user feedback can make all of the difference in choosing an acceptable password.
Are existing password compliance requirements enough?
Compliance standard organisations call for different password security requirements, including conflicting advice around password expiration, length, and complexity. These contradictions make it hard to follow compliance regulations fully, especially if your organisation must follow more than one compliance standard.
What makes a strong password? It depends on who you ask.
The National Cyber Security Centre (NCSC) regularly updates their Password Guidance, which includes recommendations around password best practice. Some of the recent updates include: don’t require uses to change their passwords unless you have reason to believe they have been compromised, use a password blacklist to block the most common password choices, and for IT to find ways to reduce the burden from end users.
Cyber Essentials scheme
The Cyber Essentials scheme is a part of the UK’s National Cyber Security Programme and mandatory for central government contracts. They define a strong password as follows: a minimum number of characters (i.e. eight characters), differs from the username, contains a mixture of numeric and alpha characters, has not be reused, is not a dictionary word, and has not been used for another account.
The National Institute of Standards and Technology recently updated their Digital Identity Guidelines, to reflect password best practices in the face of increasing password attacks. The guidelines include: use a blacklist to block weak passwords and passwords that appear on a leaked lists, require passwords comprised of at least 8 characters, remove other composition requirements and regular password expiration as long as there’s no evidence of a compromised password.
However, whether it’s longer or shorter passwords, expiration or no expiration, and character complexity or not, compliance standards have conflicting recommendations. Checking passwords against a blacklist is the common requirement for organisations wanting to comply and it shifts the password burden from the users to the authentication system.
Futureproof your password policy with a password blacklist: Best Practices
Should passwords be long and changed often, or short and never changed? Should you require characters from four character types (numeric, upper case, lower case, special) and disallow incremental passwords? It is time to re-evaluate existing password policies. To prepare for your breakup with conventional practices, we have drawn out the best practices to satisfy any compliance standard.
Ban common passwords
Since people continue to reuse their common and predictable passwords, hackers will continue to use dictionary attacks as a means of reaching sensitive data. Hackers can easily download lists from previous data breaches and use foreign password dictionaries and phonetic patterns. A tool, such as Specops Password Policy, makes it possible to block weak passwords from being used in the organisation.
When blocking passwords, users need to understand why their password is rejected. Real-time feedback explaining that a password is disallowed, prevents added confusion when a user fails to select a new password.
Turn on MFA
Use multi-factor authentication everywhere possible, especially for privileged users or when accessing critical, high target, systems such as self-service password reset or cloud services. The Payment Card Industry Data Security Standard (PCI DSS) now requires organisation processing credit card information to use MFA for anyone with administrative access and those accessing cardholder information remotely.
Expiration based on role
Removing password expirations entirely is not advised without a stronger authentication method in place, like multi-factor authentication. A better approach is to base password expiration on the user’s role in the organisation. The more access to sensitive information, for example IT administrators, the more likely you want to continue to use password expiration as a way of ensuring a compromised account doesn’t go unnoticed.
Ensure security for your organisation
The rise in password dictionary attacks is directly related to the availability of leaked password lists and the fact that people reuse their passwords. Reviewing your password policy and ensuring it serves you today and in the future doesn’t have to be a daunting task. Sometimes the regulatory bodies send conflicting messages, but today it is clear that password blacklisting is an effective way to shift the burden from users to authenticators and prevent dictionary attacks. Password policies shouldn’t be “set and forget”. Your password policy needs to re-evaluated continuously to respond the user behavioural patterns and the emergence of new threats.