hello and welcome to another application of the minor attack framework discussion today. We're going to be looking and our case study on credential access. So this might be old news, but it's still a relevant discussion
and something that I'm sure you hear about in your information security journey all the time
is time to crack passwords. Now, today we're going to do a quick comparison of a, uh the time it takes to crack passwords versus an attacker with a match and so five characters 50.3 seconds. Seven as nine minutes eight is 2.6 days. Nine characters, 9.1 years.
Strong, complex passwords. 7.5 million years. Attacker Who stole your password?
So there's a start difference here between five characters and the attacker that still your password in that
it's probably just a easy for them to guess the five password or five character one or brute force it than it is to steal it. But in this case, the 1st 2 categories really five characters, seven characters and stealing the credentials from another source
seemed to be of minimal effort. Now, once we get to eight character nine character 12 12 character. It starts to go up two days of time in depending on the Threat actor and what they're doing.
That may not be worth it. So
really, though this is just all to say that if you reuse credentials,
it doesn't matter if you've got a 12 character password that can, that can be the end of you. So let's really get to the point of the matter in the discussion.
Do you change passwords often enough to subvert a threat? Actors attempts to log in with stolen credentials because that's really what we're looking at here,
right? And the other side to that, too, is, is that if your credentials were stolen and it's not from your system
that you're logging in to day in and day out, did you reuse those credentials
Right. So if you res credentials and another site and that party is compromised,
doesn't matter how secure the password is that you log in with. If it's across multiple systems, you increase risk of the password being stolen and thereby being used to get into other systems.
Do you have password monetary measures in place to tell you when I user might be reusing their password,
right? So some companies use past revolts and things that nature that tells them when a user is reusing credentials across multiple systems, multiple accounts, whatever the case may be. So it's beneficial to ensure that documentation and training is clear on the dangers of password reuse
and what that could mean for the security of an organization.
And then have you done a search recently for passwords across your file shares?
ESO If you're an administrator, I challenge you this week to get on your file share and just do a quick search across the drive and look for passwords are password or past. You might be surprised how many Excel spreadsheets, text documents and little notes
are floating around on your domain that include all of the user's credentials. For multiple accounts,
this is not secure. If a threat actor gets on this system and skims for the same type of of nomenclature password and they scrape all of those documents out into, ah, remote share or something.
I mean, you know, you've got more than just one account to fix at that point, so do a little digging, and then if it's against company policy help users to find a way to secure that information and get it off those drives. So with that in mind, I want to thank you for your time today,
and I look forward to seeing you again soon.