by Andy Pearch, Head of Information Assurance Services, CORVID
You’ve got the ISO 27001 accreditation, you’ve completed Cyber Essentials and you’ve pledged assurance to your clients that you are committed to protecting their data. You might have even won business as a result your new found status. The top firms are on the wagon and why shouldn’t you be.
But are you aware that passwords are dead in the water? And not just because the Government experts said so. It’s a story that is appearing more frequently in specialist articles and reports but what we really mean when we propose that the password is dead is that the life of the password has changed.
With the recent release of L0phtcrack Version 7 (LC7) password cracking tool, some might be running to their machines and changing their passwords faster than you can shout ransomware. Others may be stirring around in the pond picking up another weak password.
The humble password alone, made up of a word, phrase or special characters could once block access to a whole host of highly sensitive client data. Some may even have shared (and still share!) passwords around between other protected areas and employees. Did you just glance toward that post-it note on your desk?
However, with more and more technology available to get past it, the age of the password as we know it is over.
You’ll be aware that it is now advised that passwords are non-expiring but account lockout and protective monitoring is still needed just in case the password is weak or easily accessible. For example a protective monitoring programme should be used to detect compromise from credential-stealing malware. The single password should be strengthened by using random words, phrases or length. (See password policy reminders at the end of this page)
The rule still applies to change a password if a user suspects the password or password hash has been compromised or if the system administrators detect compromise through protective monitoring. You must always be ready to accept that malware can be very stealthy and steal passwords without raising user suspicions, often evading anti-virus with ease.
What next for passwords?
Aside from adding some super strengthening techniques to bolster your existing passwords what else is changing in its life?
Two-factor authentication has been around for a while and helps strengthen the security process to an extent although it can be clunky and awkward, deviating from the user experience, particularly if you have client access login areas. Who wants to keep a separate key pad with them to enable them to type in an additional code? It’s just something else to lose in a bag or pocket but it’s a halfway house to extra security.
Other technologies such as eye retina recognition is nowhere near becoming commonplace and is a fairly impractical technology to implement at the moment.
Passwords can’t give protection from…
Attacks that occur after you have authenticated, for example malware that you run after viewing a malicious email attachment.
No matter how strong the password, there’s a high chance an attacker will use a tool to break it if the incentive is strong enough. If you hold sensitive information such as client acquisitions and mergers, high profile cases or deal with large sums of money you could be particularly vulnerable. Especially in a world of daisy-chaining (it seemed like a good idea using the same credentials across sites so you can remember them didn’t it?), no password is safe. If they struggle to crack the password then an attacker will attempt to make their way in by other means. For example a fake email from a senior partner instructing a colleague to make payments to an account or the adversary may already be working inside the company. But that’s a different story.
So your passwords will probably be hacked – what next?
Do you suspect that some passwords on your system could be weak? Then use the same tools hackers are to gain access to test your own systems. Both you and your adversaries have access to the same technology and this can be used to your advantage.
What are the tools commonly used by hackers to crack passwords?
Be aware that to access to password hashes these tools first need administrative access or a technical vulnerability in a computer to get in.
The new software, which claims to be the most powerful version yet, could take hackers just two hours to crack passwords on a modern gaming machine. It failed to break any of Corvid’s (best practice) passwords during a test on a Dell laptop so it’s worth trying it for yourself.
John the Ripper
This tool is probably one of the best known free options out there. It is highly effective and frequently makes it into the lists of top 10 password cracking tools. It’s a bit complicated of for basic users but experienced users should have no problem.
Self-proclaimed to be the World’s fastest and most advanced CPU password recovery and cracker tool.
Birthday party, cheesecake, jelly beans – password policy reminders
How to devise complex passwords for normal users that can also be remembered?
Random sentences and phrases are easier to remember than the often enforced eight (or more) random characters. To work out your new password take your favourite sandwich filling, the colour of your car and the age you first left home. Muddle it up and there’s your random phrase.
Easy-to-remember substitutions such as ‘3’ instead of ‘e’ are easily brute-forced so if your password looks like ‘ch33s3 y3110w 18’ think again.
Consider using two factor authentication for particularly sensitive accounts or where a login facility is exposed to the internet. It will add an extra level of protection and an extra level of confidence for your clients.
Password complexity should be commensurate with the value of what’s being protected with that password. If you’ve got a big client deal under wraps, an extremely complex password could help keep it that way.
The life of the password is changed for good but if the future really a 150 digit hexadecimal code? No one’s going to remember that..
Consequently, we need to stay ahead of the game, implement best practice and give the attackers a run for their money. The challenge doesn’t stop here, but I feel fine.