Ready to Start Your Career?
June 27, 2016
Passwords (Those Things Your Users Tape to Their Monitors)
June 27, 2016
The intention of this guide is to help educate users on the importance of strong passwords and password practices. Passwords tend to be our first line of defense in securing our personal accounts, information, and livelihood.
Ok, to be fair sometimes it's under their keyboards if they are trying to be sneaky about it.
For the most part, it's been my experience that it doesn't matter what industry you work in (medical, education, financing, etc), users largely all the same. The average user does not think about things like encryption, click jacking, logging out of their browsers, etc. They tend to leave those things to the IT people to worry about.
The average computer user will generally know enough to check their email, do their work, maybe play some web games, etc. They know they "have to" have a certain criteria for their passwords depending on company policy and tend not to simplify that process, because they don't live in the same world as IT or other security experts. This, again, is fair since that's not their primary job or interest, to a point.
For those of us who work IT, network security, ethical hackers, or even passing enthusiasts know it's one big scary digital (and physical) world out there with a daily struggle to protect users from the bad guys and sometimes, themselves.
A strong password (at least for the near future) is still one the best ways to protect yourself, your users, data. The intention of this document is to:
- help give an understanding of how important a strong, secure password is
- explain why some people feel why it's not that important to them
- share some general tips that may help
A "typical" user
In my experience, most users don't intentionally try to compromise your network. They have a tendency to inadvertently do so, because of a lack of technical confidence or understanding how important their login really is. In my years in IT and work at various companies, it's been a very rare case where a employee was intentionally trying to compromise the network.
As frustrating as it can be to see a password written down on a Post-It Note on the monitor or written on a piece of paper under the keyboard, these users are more than likely in need of education as to why they need to more careful. If they know what's really at stake or if their account gets stolen, they'd likely be more vigilant.
"I don't care who gets into my account. I don't have anything important in there anyway."
I have heard that line more times that I would care to admit - from various companies and from a variety of users including secretaries to upper management. The truth of the matter is they often have no idea what's at stake. Most of the time, they think the small part they work on is the only thing that a intruder would have access to. These attitudes tend to change once you explain to them what is really at risk.
Let's break down a few things:
- These users tend to use the same password for everything. Even though they're not especially technology savvy, their jobs require them to have a certain level of network access. Oftentimes their passwords are also the same or similar password to their personal accounts (email, bank logins, etc). Compromising one will compromise them all to some level.
- These passwords tend to be easily remembered; they're typically dictionary words or words/phrases that can easily be discovered (kids name, spouse, hobby, school, etc). They're things that can usually quickly be compiled from searching social media or by Googling their name.
- Using the above example, say someone decides to use their favorite sports team for their password. They think it's a great idea since it has a number in it. sf49ers. Using the Kaspersky secure password check, it says it will take about 45 seconds to bruteforce the password. Any halfway decent hybrid password crack should be able to crack it in about that time.
- These users tend to have no idea what access level they have. 99% of the time they will use a small portion of their access to do their day to day work (email and one network folder, for a example). Yet, they also have broader access for those rare 1% of the time they need to dive deeper into the network.
- Users have no idea what phishing is or that their account can be used to phish their co-workers. A "bad guy" can use that person's account to phish/spear phish the other users in the organization by leveraging that person's credentials to gain trust.
"My password is password"
A quick story: in my cube, I tape up a list of the "Top 10 worst passwords for the previous year" and the IT people get a kick out of it. Occasionally, a user will walk by, point and laugh, then say, "Hey, that's my password!" After they leave, they're greeted at their workstation with a "Your password expired, please reset your password" message.
In general, people have so many things they're juggling in their head. The thought of having to remember some random 8 character password that consists of upper and lower case characters, numbers, special characters, and something that doesn't relate back to a person, object, or place seems daunting. People like to on familiarity to remember things.
Recommended: In general, passwords should be at least 8 characters long, contain Upper and lower case letters, numbers, special characters and not spell a word/phrase/name/etc.
Let's take a short password and feed it into "Kaspersky lab secure password check"
- Password: master, This password took 1 second to bruteforce. The issue(s) with this is it's a short password, common word, and all lowercase
- Password: MasTeR, This password took 4 seconds to bruteforce. Adding in some capitals slowed down the attack, barely
- Password: Minons1, Ok, so we upped the difficulty with this by adding a Uppercase and a number. Given it's still a common word it was abled to be bruteforced within 44 minutes
- Password: rM*)T4;a, Adding uppercase, lowercase, numbers, and special characters while keeping in mind that this should not be any sort of dictionary word or name the attack took a estimated 12 days to crack. As you can see it makes a huge difference in the time it takes to compromise a password.
Using common words, names, places, hobbies, and whatnot allows your password to be potentially guessed by a person doing a little research on you. I've been able to guess people's passwords, in some cases, by doing something as simple as knowing their favorite sports team, hobbies, children's names, etc.
Oftentimes, clues to our passwords can be found in our social media, daily conversation, clues in our office (say our favorite sports team's logo pasted on our walls), etc. This is one reason why a password should be something that makes it as hard as possible to guess.
Challenge questions also play into this. Some sites will ask you to come up with a series of password challenge questions. What was your first car, where did you live before, what's your pet's name, etc. Before setting up any of these, consider whether any of these clues can be discovered by visiting your social media sites.
- Shoulder surfing: This attack occurs when a person hovers over your shoulder as you're typing in your password. This is a easy, non technical attack. You can easily stop this type of attack by being aware of your surroundings when you're logging in.
- Written passwords: Writing down your password on a piece of paper, log book, etc makes it far too easy for anyone to stumble onto it. Refrain from writing down your passwords if at all possible. If you need to write it down, make sure that it's stored in a secure, locked location that only you have access to.
- Text documents: Storing passwords in a Word doc, text document, etc are stored in clear text and any number of methods can be used to obtain your passwords. If you want to store your passwords in a electronic form consider a password protected document or a encrypted format.
- KeySweeper: This hardware was introduced by Samy Kamkar about a year ago. The hack involved making a fake USB charger that would scan and record wireless keyboard keystrokes. The interesting part of this was not only did the device look like a small (working) USB charger, but it was fairly easy and cheap to make (about $60). You can read the article here: http://thehackernews.com/2015/01/KeySweeper-Arduino-Keyboard-Keylogger.html
- USB and CD Boot: It's recommended that you disable CD and USB boot in your system BIOS. Enabling these options allow for a attacker to use devices such as Konboot, USB Katana, or even the USB drive Pentesting. toolkit https://www.cybrary.it/0p3n/build-usb-drive-pentesting-toolkit/ Cracking a person's password by this method is as simple as having the computer boot to the USB drive or CD drive, allowing the program to load, and rebooting onto your desktop.
- BIOS Password: The above recommendation is only worthwhile if your BIOS is password protected. Following the same criteria for user passwords are recommended. Keeping a attacker out of your BIOS will go a long way in protecting your system.
- Dumpster diving: Passwords that are written down need to be sure they are properly disposed of afterwards. Physically written passwords should be shredded. A well known method called "dumpster diving" can be employed. This attack is when a person, janitor, coworker, etc digs through the garbage for useful information.
- Storing passwords in your browser is always a risky proposition. If someone is able to access your computer while you are logged in, they can potentially access your accounts. Likewise, a person can use a program (such as the PassView in the NirLauncher suite) to actually show the login, passwords, and sites with a click of the button.
- Logging out of websites is always recommended. Clearing all cookies and browser cache will also help ensure your security.
- Whenever possible, be sure to access sites using HTTPS, instead of HTTP.
- Social Engineering is the method of human hacking. Instead of the attacker compromising a computer or network, they exploit a person. This remains one of the most effective method of exploitation. If you can properly exploit a individual, you can potentially bypass any level of security. As Kevin Mitnick once put it, "A company can spend hundreds of thousands of dollars on firewalls, intrusion detection systems and encryption and other security technologies, but if an attacker can call one trusted person within the company, and that person complies, and if the attacker gets in, then all that money spent on technology is essentially wasted".
- Phishing emails: This method of attack is still a incredibly effective method for gaining access, and also includes potentially gaining your password. I've detailed phishing in a earlier guide: https://www.cybrary.it/0p3n/anatomy-of-the-hack/
- Phone solicitations: Email is not the only way a person may try to gain access. An attacker may contact a person posing as say the IT department, ISP, phone company, credit card company, etc, stating that they need to access their account to recover some of their files because of a server crash or they require access to complete a task. Users have a tendency to give up their passwords too easily to others who claim to be in a position of higher authority and technical level. In general, most work places will not ask for a user's password. Furthermore no ISP, phone company, software company, etc will ever ask you for your login and password information.
- Educating yourself and your users in terms of social engineering will help mitigate such attacks, both at work and at home.
- Always download trusted software. Downloading cracked, pirated, software from untrustworthy sites can contain malicious payloads including software that can potentially harvest your data.
- If you're operating your computer on wireless, be sure to always connect to a trusted wireless access point. Jumping on a unknown access point may result in a Man in the Middle attack. https://en.wikipedia.org/wiki/Man-in-the-middle_attack.
- Consider using a VPN when operating on wireless, which will help add a extra layer of security.
- Be sure to keep your computer up to date with the latest security patches. This includes all other programs on your computer such as Java, browsers, etc.
- Make sure you have an up-to-date anti-virus. Be sure this anti-virus is also set to scan all inbound files and to schedule regular full scans. Having a out of date or improperly configured (never ran) anti-virus is like having no anti-virus installed.
- Smartphones should also be considered the same as a computer along with the same safety concerns and guidelines: https://www.cybrary.it/0p3n/smartphone-apps-what-am-i-downloading-anyways/
Security has always been a balance of good security guidelines and a user-friendly approach. This has always been a very difficult balance, since leaning too heavily on the security guidelines generally makes it too difficult for the end user. Conversely, if your systems are too user friendly, it makes it too easy for hackers to exploit them.
Unfortunately, there is no "one size fits all" solution when it comes to security. The best we can do is to try and have a balanced solution that will hopefully work for the bulk of our users. A "hope for the best, but prepare for the worst" scenario works well.
1) "Pattern password": A friend of mine shared a clever way for him to remember complex random passwords. His suggestion was to draw a pattern on the keyboard to create his password, such as a dragon, or a face. This will help randomize the password created, yet allowing the user to visualize the password.
2) Do not share passwords: Passwords are only as secure as the weakest link. You may be vigilant about keeping your password secure, however if you share your password with another person, they may not share the same safety procedures as you.
3) Try to have different passwords for different sites: If your email password is different from your Facebook password, from your Twitter account for example and one account becomes compromised, the attacker will not have the "keys to the castle" and potentially compromise all of your online accounts.
4) Two-factor authentication: More sites are beginning to implement this as an option. In addition to your regular password that you enter, you'll be required to enter in a second randomly generated rolling password. With Google, this will be a text message sent to your phone. For Microsoft, it's an app on your phone that will change the pass code every few seconds. https://www.google.com/landing/2step/#tab=how-it-works
I hope this guide was informative and, as always, I'm happy to hear feedback, questions, and comments. Be safe out there.