With today’s announcement of the FriendFinder Network website hack and the announcement that over 412 Million passwords were cracked, there is and will be a lot of discussion about the need for better protection of passwords at rest. While this is true, we caution that one of the most common issues that get lost in this discussion is that the bad guy had already won at this point as they had the user password hashes (or lack of) to crack at their leisure. Time is on their side, you’ve already failed if the bad guy has gotten to this point.
Why do we bring this up, well foremost because, with the articles, people seem to forget that in most companies, the password prompt is the start and end of a company’s information security. With that in mind, lets looks at some simple things you can do to dramatically improve your corporate password policy and reduce the possibility of someone just walking in and guessing a valid password — which is what you are attempting to prevent in most cases.
#1 – Stop using passwords, use password phrases – users attempting to figure out the most uberific password using Case, Alpha, Numeric, or Extra Characters and limit themselves to 8 or 9 characters will typically forget their password and write it down. Thus, defeating the whole exercise in the first place. Using passphrases will dramatically reduce your exposure and most organizations simply do not teach this method. If your average user goes from using an 8-9 character password (Password1) to using a password phrase (InolongerusePassword1) , they gain a more technically challenging password if the hash has been stolen, but more importantly they significantly reduce someone from guessing their password.
#2 – Learn to blacklist the Top 5 Worst Passwords – We as pen testers, still use these five and find that as much as 40% of your users are still using them:
#a – Password1
#b – Welcome1
#c – Companyname1 – XYZCorp1
#d – Current Season/Year/! – Winter2016!
#f – Previous Season/Year/! – Summer2016!
#3 – Audit your passwords – We cannot stress this enough, audit your passwords! Better you find that your users have selected a terrible password than letting the bad guy find it first.
DirectDefense offers password analysis and security testing services, for information on how DirectDefense can assist you with meeting your security goals please contact email@example.com.