Passwords. We’re always yammering on about them, along with every other cyber security company out there.
But that’s because we a have good reason. According to Verizon’s Data Breach Investigations report from 2017, 81% of hacking-related breaches leveraged stolen and/or weak passwords. A Google study from the same year puts the number of compromised credentials sold on the black market to about 2 billion. You can check if your passwords have been exposed from Have I Been Pwned here.
If you want to take these numbers from bland statistics into the real world, F-Secure’s cyber security expert Janne Kauhanen can help you. With experience in red teaming and breach investigations, Janne has witnessed many companies’ poor password hygiene first-hand.
“In most of our data breach cases, the attackers got in with two methods. One: they stole someone’s credentials through phishing. Two: they cracked user passwords that were weak, re-used or both.”
The first method is a familiar threat to the IT community, and getting more recognizable even for standard corporate users. Method two, however, is often dismissed as pure hacker power fantasy.
It’s understandable. All those flashy movie scenes? Not quite how it actually works, but close enough.
“Having seen this stuff over and over in red teaming assignments, I can confirm that password cracking is not only real, but extremely practical and effective”, Janne says.
Watch the video to see two of the most common password cracking techniques in action.
That’s what you’re up against, with every half-decently equipped attacker capable of doing the same.
Keeping this in mind, we want to address three password myths – fallacies really – that just don’t seem to die. And also give you some tips on catching impostors on your network after they’re already inside.
PASSWORD MYTH 1: “I USE STRONG PASSWORDS AND CAN REMEMBER THEM IN MY HEAD”
This is an oxymoron. Or a paradox. Whatever it’s called – it’s just not possible.
“No password rule system or algorithm – especially one stored inside a human head – can beat software that’s churning through tens of thousands of password combinations every second”, Janne says. “This is a good rule of thumb: if you can remember your passwords, they’re weak.”
If you can remember your passwords, they’re weak.
The only viable solution to this problem is a reliable password manager, like F-Secure Key. Now you can have a unique, randomly-generated 64 character password for each service and application you use.
And you only need to remember two master credentials. One for the password manager, and the other for your domain login.
Just to be on the safe side, make these really tricky for the attackers to decipher. Password phrases are a good place to start: nonsensical sequences of words that have no particular meaning in themselves.
“effecttradedbuysdowntownreally” or “waitingopencarapplebowling”
PASSWORD MYTH 2: “I’M NOT IMPORTANT – NOBODY WANTS MY PASSWORD”
First of all – check your self-esteem.
We can assure you that there’s at least one group in the world who values you: cyber criminals.
You are a member of a community, trusted and liked by your co-workers. You send emails, access files and have a digital footprint. Your identity has value in itself.
Attackers are willing to do anything to get to their target, and most often they can afford to play the long game.
What if someone breaches your account to get to someone else? Wouldn’t you click on an email from a close colleague, even if it is just a random website link or a weird file?
“Attackers are willing to do anything to get to their target, and most often they can afford to play the long game”, Janne explains. “A breach can start with just one compromised account belonging to a junior employee. From there it can spread like a disease, infecting more and more people from within.”
These attack chains can get quite complex, but many of them originate in a simple act of laziness or negligence. Not something worth losing hundreds of thousands of dollars over.
PASSWORD MYTH 3: “I USE TWO-FACTOR AUTHENTICATION, SO I’M BREACH-PROOF”
This is a bit trickier. Although two-factor authentication is a good thing to enable in almost any conceivable scenario, unfortunately it doesn’t make you immune to breaches.
A true two-factor protocol should always involve two distinct channels of communication. An online banking system, for example, that requires you to input a passcode to a an application that’s completely separated from the main service component.
These types of systems are rare to find, mostly because they would make using many services not only annoying for the end user, but exceedingly costly for the providers. Instead, most companies rely on simpler alternatives, where you get texted a code that you punch into the same login screen as your password.
“You should always use two-factor authentication, but I have seen cases where it’s been bypassed. Text message codes entered on the same login page with your credentials can be captured by faking that website. A fake error message will let you know the service is temporarily unavailable, while the attackers continue with your real session”, Janne says. “Two-factor authentication is not a silver bullet by any means.”
REACTIVE PROTECTION TO PASSWORD BREACHES
You’ve taken care of all the proactive steps when it comes to password security. Now you have to prepare for the eventuality that someone manages to breach an account in your company anyway.
Our recommendation is to invest in endpoint detection and response (EDR) – an advanced security solution you can bolt onto your existing endpoint protection platform (EPP).
With EDR’s real-time behavioral data analysis, you get concrete visibility into your IT environment. You can detect unusual activity by standard programs, unknown applications, unexpected scripts and suspicious running of system tools.
In other words, by teaching a sophisticated AI what “good” behavior looks like, you can effectively flag everything that doesn’t fit this mold. This is called “atypicality modeling”.
Someone is using applications they usually don’t? Flagged.
There’s a suspicious login onto the network in the middle of the night? Let’s investigate further.
Sensitive data is being extracted from your servers? We’re on automatic full alert.
If you want to look more into EDR, here’s a good place to start.
THE BOTTOM LINE WITH PASSWORD SECURITY
Be good for both yourself and your colleagues, and take password security seriously. It’s stupid simple, but extremely effective at preventing unwanted incidents from crippling your operations and crashing your bottom line.
When attackers move past password cracking and still find a way inside anyway – and they will – you need to be prepared. So, instead of only looking at next-generation AV, start paying attention to post-compromise security.
A saying goes: “There’s two types of companies. Those who have been breached. And those who just don’t know about it.”
Words to live by.