A recent cyber-attack on the Canadian government was successful because of a well-known attack technique, credential stuffing. If you’re not familiar, credential stuffing is just taking credentials from one breach and using it to compromise a new organization. It is successful because 62% of people reuse personal passwords on work systems.
News of this attack broke on Monday, August 17, 2020, and it highlights how real the cyberattack risk is for every organization. The question victims often ask themselves post-attack, “Was this preventable”?
“The credentials used in the attack came from previous, non-government of Canada data breaches. They were effective because Canadians reused old passwords on government of Canada systems.”Scott Jones, the head of Canada’s Centre for Cyber Security
When you look at guidelines from the National Cyber Security Centre (NCSC) or the National Institute of Standards and Technology (NIST), one of the key recommendations from both is to prevent the use of passwords that are collected in public breach databases.
A secure password today can quickly become part of a breach database. It’s critical that you evaluate all passwords at creation and when your breach database is updated. (You may find that a password when first checked is NOT on a breached list, but over time it may show up. Hence why it’s critical to continually check).
A password alone is not sufficient security.
Again, a password alone is not sufficient security.
Techniques used to compromise passwords are widely documented. Don’t be fooled by the math. If an attacker is going to perform a brute force attack it will be an intelligent attack vs random guessing of 8- or 9-character password combinations. Having access to over half a billion passwords obtained from compromises provides researchers, and attackers, insight into common user behavior.
Most believe if a user leverages upper case, lower case, numbers, and symbols they will create a complex hard-to-guess 9-character password, right? What we’ve learned is a complex user password looks more like this ‘Agreement1!’ than like this ‘m2RK&3sNrG&fcI’. The problem is predictable human patterns.
With this knowledge, a brute force attack has a much smaller character search space. Simply stated, it makes it easier to guess passwords!
I’ve worked with several Stealthbits customers to understand common bad patterns they have detected among their user credentials. We’ve collectively learned there are three (3) key and consistent patterns across multiple vertical markets and geographic locations.
If you work at Oracle, should you be able to have a password containing Oracle, MySQL, Java, or ORCL (the stock symbol)? If you said no, I agree! If you said yes, consider this:
|Name||# Prevented||Time Range|
|Customer 1 (90K Users)||30,048||236 days|
|Customer 2 (110K users)||18,539||180 days|
|Customer 3 (22K users)||1,688||60 days|
It’s rather normal that users gravitate to using common terms. It makes perfect sense considering they often use those terms daily. Of the over 50,000 prevented passwords across 222,000 users above, ALL at least contained one (1) common phrase identified by IT.
What does this mean?
Attackers also know users pick passwords containing company and common industry phrases. This helps them narrow the pool of possible password combinations, making it more likely they guess the password. But the flip side is true as well. Preventing the use of these common terms improves security by making user passwords much more difficult to guess.
The least creative way to create a password is just clicking on ordered keys on the keyboard. “QWERTY” is an annual winner for the “Top 5 Most Common Passwords”
|Name||# Prevented||Time Range|
|Customer 1 (90K Users)||21,896||236 days|
|Customer 2 (110K users)||34,557||180 days|
|Customer 6 (85K users)||23,241||120 days|
Nearly 80,000 instances in roughly half a year, across 285,000 users. This was eye-opening for IT, as well as management, that users are less focused on security and willing to sacrifice it to get back to work quickly. As in most organizations, the password complexity policies are a burden easily bypassed without some check-mechanism in place.
There is no way to prevent a user from choosing a personal password at work. Asking users not to re-use personal passwords can be in-policy, but technically it’s just not enforceable. But something that is enforceable is preventing previously breached passwords from use in your environment.
The Canadian Government breach at the start of this blog could have been prevented if they actively prevented breached passwords or, at the very least, checked existing passwords against a breached database.
|Name||# Prevented||Time Range|
|Customer 7 (55K Users)||18,577||240 days|
|Customer 2 (110K users)||29,854||180 days|
|Customer 3 (22K users)||7,002||60 days|
Not every password in a breach database would pass most corporate password policies. As an attacker, you focus on passwords that would typically ‘pass’ organizational policy. The sheer volume of passwords that were tried by users and show up in breached password databases in our above examples is scary. Over 55,000 breached password attempts found across 187,000 users in roughly 6 months. While organizational passwords are typically more valuable to an attacker than personal account passwords, organizations often require users to change passwords somewhat frequently, so that compromised password has an expiration date.
There are several measures that can be implemented to address the challenges with password security. Multi-factor authentication is a great example. Other awesome examples are what you just read about in preventing known breached passwords, industry jargon, or keyboard character sequences.
ADVICE: Do a password analysis for your organization and get answers to these basic questions:
Once the issues are surfaced, develop a plan to fix them. For example, automate user notification for password changes if detected on a breach database. Next, we instruct users not to share or reuse passwords, so let’s fix service accounts or implement group managed service accounts. Finally, if a password age is measured in years, is this acceptable to the business? Password analysis is a fantastic exercise and a proactive way to prevent being the next cyber-attack victim.
Learn about Password Spraying and a multitude of other cyber-attacks. Learn how the attack works with a video tutorial and most importantly how to identify, mitigate, prevent, and recover if needed. (https://attack.stealthbits.com/)
Proper data security begins with a strong foundation. Find out what you’re standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure. (https://www.stealthbits.com/credential-data-security-assessment)
Password policy enforcement for Windows Active Directory providing password protection on-premises and in hybrid environments. (https://www.stealthbits.com/stealthintercept-enterprise-password-enforcer)
Rod Simmons is VP of Product Strategy at STEALTHbits Technologies responsible for the vision and strategy of their Active Directory Management and Security solutions. Rod has been in the technology space for over 20 years.
Prior to joining STEALTHbits, he served as Director of Product Management at BeyondTrust responsible for the Privileged Access Management products. He has also held positions leading Solution Architects and Product Managers at Quest Software and Netpro Computing Inc.
Proper data security begins with a strong foundation. Find out what you're standing on with a free deep-dive into the security of your Structured and Unstructured Data, Active Directory, and Windows infrastructure.Read more
Start a Free Stealthbits Trial!
No risk. No obligation.