Tag: Password

Password Length: More than Just a Question of Compliance
Password length is a topic we’re asked about a lot, and that makes sense because it can be quite confusing. There are several different compliance models that organizations use – from PCI to NIST to OWASP and more. Each has its own standards for password strength and password length.

When it comes to penetration testing, weak password recommendations often are more rigorous than compliance standards, and this leads to a great deal of stress, especially for organizations that have already spent time and effort in implementing password rules that meet the compliance standards they’ve chosen.

Why So Many Different Standards?

First, speaking from experience, penetration testers see firsthand how weak and reused passwords are often a key part of achieving access over an entire domain (i.e. having administrative powers to view, add, edit, and delete users, files, and sensitive data, including passwords, for an organization’s Active Directory environment). While this is the type of success that pentesters strive to achieve, the true goal of a penetration test is to show organizations weaknesses so that they can close exploitation paths before malicious attackers find them.

For this reason, Raxis penetration tests recommend passwords of at least 12-16 characters for users and at least 20 characters for service accounts. Of course, we recommend more than length (see below for some tips), but Raxis password cracking servers have cracked weak passwords in minutes or even seconds on internal network penetration tests and red team tests several times this year already. We don’t want our customers to experience that outside of a pentest.

On the other hand, compliance frameworks are just that – frameworks. While their aim is to guide organizations to be secure, they do not endeavor to force organizations out of compliance with a stringent set of rules that may not be necessary for all systems and applications. For example, a banking website should require stronger credentials and login rules than a store website that simply allows customers to keep track of the plants they’ve bought without storing financial or personal information.

If you read the small print, compliance frameworks nearly always recommend passwords longer than they require. It’s unlikely, though, that many people read the recommendations when working on a long compliance checklist when they have several more items to complete.

Times are Changing

Of course, time goes on, and even compliance frameworks usually recommend at least ten-character passwords now. The PCI (Payment Card Industry) standards that are required for organizations that process credit cards now require 12 character passwords unless the system cannot accept more than eight characters. PCI DSS v4.0 requirement 8.3.6 does have some exceptions including still allowing PCI DSS v3.2.1’s seven-character minimum length that is grandfathered in until the end of March 2025.

This is a good example of PCI giving companies time to change. It’s been well known for years that someone who has taken the time and expertise to build a powerful password-cracking system can crack a seven-character password hash in minutes. This leaves any organization that still allows seven-character passwords with a strong threat of accounts becoming compromised if the hash is leaked.

OWASP (the Open Web Application Security Project), which provides authoritative guidance for web and mobile application security practices, accepts 10 characters as the recommended minimum in their Authentication Cheat Sheet. OWASP states that they base this on the NIST SP 800-132 standard, which was published in 2010 and is currently in the process of being revised by NIST. Keep in mind that OWASP also recommends that the maximum password length not be set to low, and they recommend 128 characters as the max.

The Center for Internet Security, on the other hand, has added MFA to their password length requirements. In their CIS Password Policy Guide published in 2021, CIS requires 14 character passwords for password-only accounts and eight character passwords for accounts that require MFA.

Other Factors

This brings up a good point. There is more to a strong password than just length.

MFA (multi-factor authentication) allows a second layer of protection such as a smartphone app or a hardware token. Someone discovered or cracked your password? Well, they have one more step before they have access. Keep in mind that some apps allow bypassing MFA for a time on trusted machines (which leaves you vulnerable if a malicious insider is at work or if someone found a way into your offices).

Also keep in mind that busy people sometimes accept alerts on their phones without reading them carefully. For this reason, Raxis has a service – MFA Phishy – that sends MFA requests to employees and alerts them (and reports to management) if they accept the false MFA requests.

MFA is a great security tool, but it still relies on the user to be vigilant.

Raxis’ Recommendations

In the end, there are a myriad of ways that hackers can gain access to accounts. Raxis recommends setting the highest security possible for each layer of controls in order to encourage attackers to move on to an easier target.

We recommend the following rules for passwords along with requiring MFA for all accounts that access sensitive data or services:
1. Require a 12-character minimum password length.
2. Include uppercase and lowercase letters as well as numbers and at least once special character. Extra points for the number and special character being anywhere but the beginning or end of the password!
3. Do not include common mnemonic phrases such as 1234567890, abcdefghijkl, your company name, or other easily guessable words. Don’t be on NordPass’s list!
4. Do not reuse passwords across accounts, which could allow a hacker who gains access to one password to gain access to multiple accounts.
There are two easy ways to follow these rules without causing yourself a major headache:
1. Use a password manager (such as NordPass above, BitWarden, Keeper, or 1Password amongst others). Nowadays these tools integrate for all of your devices and browsers, so you can truly remember one (very long and complex) password in order to easily access all of your passwords
  - These tools often provide password generators that quickly create & save random passwords for your accounts.
  - They usually use Face ID and fingerprint technology to make using them even easier.
  - And they also allow MFA, which we recommend using to keep your accounts secure.
2. Use passphrases. Phrases allow you to easily remember long passwords while making them difficult for an attacker to crack or guess. Just be sure to use phrases that YOU will remember but others won’t guess.
And I’ll leave you with one last recommendation. On Raxis penetration tests, our team often provides a list of the most common passwords we cracked during the engagement in our report to the customer. Don’t be the person with Ihatethiscompany! or Ihatemyb0ss as your password!
June 4, 2024
Understanding the Why Behind Password Management

In this video, Brian will help you understand password management from the viewpoint of a hacker. It’s more than a how-to; it’s also a why-to. We’re hopeful that by seeing a little of what we see, you’ll make password management a high priority for your company.

Despite years of warning, cajoling, and even begging by security professionals, password mismanagement is still one of the most reliable (and one of our favorite) ways to breach a company network. This week, our chief technology officer, Brian Tant, continues his video series about the most common vulnerabilities we see during hundreds of penetration tests each year.

Remember: Complex passwords, unique to each account, and changed frequently are keys to effective password management and security. Also remember to check your service accounts and make sure that old passwords aren’t lingering on your devices.

Effective cybersecurity is a matter of behavior as much as it is technology. Let’s make strong password management a habit that catches on.

Download our list of Top 10 Cyber Attacks to learn more about ways to secure your company.

Want to learn more? Take a look at the next part of our Common Vulnerabilities discussion.

July 10, 2020
Celebrate National Cybersecurity Awareness Month Through Security
Each October the NICCS (National Initiative For Cybersecurity Careers And Studies) leads National Cybersecurity Awareness Month (NCSAM) . This year the focus is on personal accountability and taking proactive steps both at home and at work. Raxis is joining in the fun by offering tips that we all can try at home and in the workplace (or school), no matter our age or what we do.

Computer & Smart Phone Basics

These tips are the same ones you’ve been hearing for years, but it’s always good to have a reminder.

Apply updates to your devices. The IT department at your office is likely handling this there, but it doesn’t hurt to check and be sure your operating systems and software are running current, patched versions. This is also important for your personal devices. Watch for notifications that it’s time to update your operating system and keep software that you buy up to date. Almost all software has a place (Updates, Preferences, Settings) where you can check to see if you are on the current version. Most vendors watch for security news and provide patches and updates as soon as they fix issues. And don’t forget smart devices, such as phones, tablets and household products like cameras and lighting systems. Such devices can be easy to overlook, and hackers often focus on them because they know that.

Set passwords/passcodes on your computers and smart devices. Your kids may “hack” your phones by entering the passcode that you’ve told them and posting amusing Instagram photos, but, when you misplace your phone while out, you will appreciate setting that passcode so that a stranger doesn’t have access to your private information including sending texts, reading your emails, or erasing your phone for their own use. The same applies to computers. Step away for a few moments, and you don’t know if someone has stopped by to look at your private downloads or browser history.

Use strong passwords. While on the topic of passwords, please don’t use 12345 or Password1. It’s often tempting to set easy passwords or the same password for every login to save time and make passwords easier to remember. Hackers count on that. Some websites allowed hackers to guess many passwords until they find the right one, and, once they have it, they may try it to login to your other accounts or even sell the password to other people. Raxis gives tips on setting passwords that are easy to remember but hard for others to guess here: The Weakest Link in the Password Hash.

WiFi Networks

Nowadays all sorts of places from coffee shops to hotels have free WiFi guest networks. It’s convenient to join these, and you can do that safely if you follow a few rules. While connected to these networks, there is a chance that a hacker could be watching your internet traffic, including passwords as you login to sites and private information that you enter in websites or upload to the cloud. If you’re logging in to check a score or find the closest pizza parlor, there’s probably nothing for a hacker to steal. But if you plan to stay on the WiFi network for a while or do anything that may be private, Raxis advises you use a VPN tool such as Private Internet Access (PIA) while connected to the guest WiFi network. Tools such as PIA have apps for your phones and tablets as well as software for your computer, and they often charge a low monthly or annual fee so that you can use the service at any time. Once you connect to the guest WiFi network, start PIA, and it will encrypt your internet traffic so that an attacker attempting to watch your secure data only sees gibberish.

Setting up a home WiFi network. When setting up your WiFi network at home, either through tools from your local cable, phone or satellite service, or with your own wireless router, be sure to set a strong password (see above) on the administrative webpage where you set up the WiFi network. Though these sites appear to be personal for your home, the signal often travels outside and to neighbors’ houses. If you leave the site with no password or an easily guessable password, someone nearby could change your settings. Raxis also advises that you set a password to join your home wireless network. Though you’ll likely share this with friends and family, it makes it harder for someone nearby to join without you knowing.

Use WPA2. Your router setup likely has several options for the wireless security protocol and sometimes defaults to a weak protocol. The WEP and WPA protocols are about 20 years old, and exploits are easily available on the internet. Several varieties of WPA2 are available on most routers, and any of these should work well for a home network.

Social Engineering & Phishing

Many hackers and thieves look for a simpler way to get the information and access they want.

Email, fax and phone (calls & texts) phishing campaigns have become very realistic and are often difficult to distinguish from legitimate messages. Hackers can steal your information by talking you into telling them, tricking you into entering your private information, such as credentials, on their malicious webpage, or even automatically stealing credentials or infecting your computer when you open a link that they send you. At Raxis we advise our customers to stop and think before acting. Many companies, such as banks and stores, provide contact numbers and forms that you can call to confirm the information.

It may seem brazen, but the easiest way to get access to businesses, apartment buildings, or other shared spaces, is to act like you belong and see if someone lets you in. Once inside, it’s often rare for people to confront others about whether they belong there. Raxis recommends not holding locked doors for people you don’t know as well as keeping confidential information and keys hidden in case someone does gain access. If someone appears suspicious to you, you don’t have to confront them. Let a security guard, receptionist, or someone in authority know.

The most important thing to remember is, to quote the Department of Homeland Security, “If you see something, say something.” This is the case whether at work or at home. Check with your manager or IT department or check with your neighborhood watch or HOA. If you are not sure about an email from your bank, contact them about it; if it’s a scam, they may want to inform other customers. If you see someone acting suspiciously, report it or ask around.

Raxis provides more information in the following series of blog posts:
Stay Safe & Secure Out There!

As the holiday season gets closer, focusing on cybersecurity is not just for the month of October. When we focus on security in our daily lives, we can work together to make things more difficult for hackers and thieves. Let’s all do our part
October 24, 2019
The Weakest Link in the Password Hash
Your password is strong – but is everyone else’s?

We spend considerable time trying to make sure our passwords are strong. But we also need to spend time educating our user base on why password strength is important.

It is not uncommon for a hacker to establish his foothold in an environment by first compromising a weak or insecurely stored password. Once a base level of authenticated access is established, it becomes a matter of time before privilege escalation is achieved.

So, while your password might be a strong 16 character, alphanumeric with symbols stronghold, your administrative assistant might still be using s0ftc@t1 (which, by the way, would crumble under a modest brute-force attack in less than 48 hours) as hers. If we can get that weak password we can extrapolate from there and gain access to other accounts.

Important lessons to teach:
- Use of symbols to recreate letters (i.e.: @ for a, ! for i, etc) is not that useful. Rule based brute-force attacks use dictionaries and account for common character substitution techniques.
- Longer is better – an 8 character password is trivial for a skilled hacker regardless of it’s complexity. Currently, adding a single character and increasing the length to 9 characters, extends the time it takes to crack the password to a couple of months.
- Use random letters and numbers.
- Capital letters should be used along with non-capitals, but refrain from making the first character the capitalized letter (we expect that and hack for it).
Consider multiple roots

One trick is to use a 10 character base such as:yyT73p@55c

Now remember that (see next section for tips).

Now make it unique. By adding a “-” or a “+” or “_” and then a system identifier such as:
```
yyT73p@55c-dr0p (say, for Dropbox)
```
```
yyT73p@55c+f@cE (for Facebook)
```
```
yyT73p@55c_BoA (for Bank of America)
```
Now you have a super strong random root, followed by a symbol with a dictionary word including caps and symbols if you wish.

Using this formulaic approach it’s possible to take a 10 character root and create a different password by creating an easy to remember tag. Now your passwords are 14+ characters long and easy to remember.

Consider rhyme and pattern

One trick I use for remembering that root is putting it in a rhythm and rhyme pattern that makes sense to me. This was a trick taught to me by a security engineer years ago and it’s worked. In the case of : yyT73p@55c every third letter (and 4th at the end) rhymes, and I have a pace to it.

Different root for types of systems

Now. If you want to supercharge the geek (and help save your butt from mass hack password releases) consider having a small handful of root passwords. Perhaps one you use for social, one for finance, and one for work.

Using that approach still only requires you to remember 3 base passwords, but, in doing so, you’ve strengthened your password repertoire considerably.

Change the root

Regardless of the strength of our passwords it’s still best practice to change them frequently. Using the root system all you need to do is periodically change the root and you’ve reset any exposure to compromise you may have had.

BONUS ROUND.

If you really care about security for a specific site (say, your bank), use a unique username. It doesn’t have to be crazy. If you tend to use “sally15” as your main username try using your last name “sanders15” for the bank. Use the same password root as above – but now you’ve got a unique username and a unique password that is associated with that one service.

The Struggle is Real

Getting your employees to use strong passwords is an uphill battle, but it’s a critical one. Remember – we are looking for the weakest link. Once we get a toe in the door it’s usually all we need before we spread like cancer in your system.

By utilizing a simple system, such as the one suggested here, you can increase the chances of your employees maintaining difficult passwords and strengthening their online security.
October 16, 2016