How I Compromised Your Complex Password from The Internet

One of an attacker’s first goals is to gain a foothold in a target environment. The role or permissions of an end user does not matter if it can be leveraged to gain access. Many password guides encourage longer, more complex passwords, making it more difficult to brute force the password’s plaintext value from its encrypted format in case of a breach. While this is true, often a foothold is gained through simply guessing an end user’s password on an external resource such as Microsoft Office 365 or an on-premises Microsoft Exchange server.

Many passwords compromised from guessing were long, containing ten or more characters, and had numbers and special characters. These passwords met the complexity requirements for most environments but still contained dictionary words, and phrases and followed patterns that are commonly found in password breach data.

Many end users (and even some veteran security professionals) consider password management a massive pain. Creating a unique password with today’s complexity requirements can be tough. As a result, many end users choose to go with passwords that can be easily guessed by incorporating Months, Seasons, Years, words related to a company’s name or industry, common login phrases like ‘welcome’, ‘password’, and keyboard walk schemes, i.e. ‘123’ or ‘!23’. In some cases, easily guessed passwords are the default password generated for new hires or password reset requests because they are more easily communicated to users.

While helpdesks usually request these users to change their password once logged in, users are not always required to do so due to a misconfiguration in Active Directory. Suppose the default password used by an organization can be discovered. In that case, dozens of user accounts will usually be compromised, each being utilized in some way to gain a foothold into a target’s environment.

What can be done

Many users in non-technical roles do not understand the importance of good password management. Educating these users on the impact of what an attacker can do with their password is critical.

Additionally, educating users on some of the more common phrases when creating a password is important. Some common examples are:

• Address (home and office)
• Date of birth
• Phone number
• Personal, child or spouse birthday
• Month
• Year
• Keyboard Patterns such as 123 or !23
• Anything posted on social media as an interest
• Company Name
• Company Industry
• Admin
• Password
• Welcome
• Sports Teams or Terms
• Swear words (this is a lot more common than you’d think)

In addition to a strong password policy following NIST guidelines, administrators should consider creating blocklists for the most common words and phrases to prevent end users from creating weak passwords. Tools such as Azure AD Password Protection can allow admins to create a list of banned passwords that will apply to on-premises AD. Lists can be gathered from breach data such as the Have I Been Pwned Database.

The bottom line is that good password management is critical to the security of your data. However, creating and remembering complex passwords can be a pain for end users. Administrators should consider creating blocklists for the most common words and phrases and educating their users on some of the more common terms when creating a password. What do your password policies look like? Why not let Lares audit your password configurations to see if we can identify some optimizations? Contact us today!

Resources

• Deploy on-premises Azure AD Password Protection | Microsoft Docs
• Configure custom Azure Active Directory password protection lists | Microsoft Docs
• CWE – CWE-521: Weak Password Requirements (4.6) (mitre.org)
• NIST Special Publication 800-63B