Password Cracking 101: Attacks & Defenses Explained | BeyondTrust (2024)

Password cracking (also called password hacking) is an attack vector that involves hackers attempting to crack or determine a password for unauthorized authentication. Password hacking uses a variety of programmatic techniques, manual steps, and automation using specialized tools to compromise a password. These password cracking tools are referred to as ‘password crackers’. Increasingly, these tools are leveraging AI to improve password cracking speed and efficiency. Passwords can also be stolen via other tactics, such as by memory-scraping malware, shoulder surfing, third party breaches, and tools like Redline password stealer.

A password can refer to any string of characters or secret used to authenticate an authorized user to a resource. Passwords are typically paired with a username or other mechanism to provide proof of identity. This combination is referred to as credentials.

Compromised passwords are involved in most breaches today. In fact, Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches leveraged stolen credentials. And, according to the IBM X-Force Threat Intelligence Index 2024, there was a 71% increase year over year in the volume of attacks using valid credentials. This reflects the trend of attackers shifting to identity-based attacks over traditional vulnerability exploits as the identity attack surface has multiplied and grown by leaps in complexity.

When a compromised account has privileges, the threat actor can easily circumvent other security controls, perform lateral movement, and compromise other passwords. This is why highly privileged credentials are the most important of all credentials to protect. With that said, almost any identity today will have some path to privilege via various SaaS accounts, blurring the definition of what a privileged identity means today.

This in-depth blog highlights password vulnerabilities and risks that give attackers an edge, and provides an overview of password cracking motives, techniques, tools, and defenses.

Humans have relied on passwords since the early days of civilization. A “Pass Word” was a word that allowed the user to pass a security checkpoint and dates back to the Roman Empire. Unlike today, the password would have been the same for everyone. It wasn’t a proof of identity, but tantamount to a role-based access control. In other words, it represented a ‘claim’ you were authorized for access to the resource, but could not validate your actual identity. The problem is that this method relies entirely on those who know the password to keep it a secret.

Passwords have long been recognized as the Achilles’ heel of identity security, and the death of the password and the emergence of a passwordless future has been predicted for decades. Yet, the number of enterprise identities is on a vertiginous climb, primarily driven by the explosion of machine identities. A Venafi study estimated the number of machine identities at 250,000 per enterprise, following a 41% year-over-year increase. Various other studies in recent years have estimated machine identities outnumber human ones by a ratio of several dozen to 1.

While passwordless approaches are gaining momentum, they remain niche for modern systems, have difficulty being adapted to legacy technology, and often possess password characteristics themselves. However, one welcome shift is that, today, a password is less likely to be used as the sole security mechanism due to technology like biometrics and multifactor authentication (MFA).

Valid credentials (username and password) enable a typical user to authenticate against a resource. If a username is known to threat actors, obtaining the account’s password becomes a hacking exercise.

Often, a threat actor will first target a systems administrator since their credentials may have privileges to directly access sensitive data and systems. Such privileged credentials enable the cybercriminal to move laterally, while arousing little or no suspicion, and even compromise other accounts to maintain persistence. Once a threat actor has compromised credentials, everything privileged to that account is now fair game for the attacker.

Credentials compromised for the most sensitive accounts (domain, database administrator, etc.) can be a “game over” event for some companies. Those accounts, and their credentials, are a prime attack vector for privilege escalation attacks.

Attackers typically hold at least two advantages over defenders:

1. Time on their hands, as they often take a scatter-gun approach to gaining access versus an all-at-once attack that may trip multiple security alarms.

2. Automated password cracking toolsets, increasingly powered by machine learning (M/L) and AI, that will autonomously run the attack using techniques to avoid detection.

Password crackers can try passwords at a slow, measured pace to avoid triggering account lockouts on individual accounts. If a password cracker only tries one password every 10 minutes per account, 100,000 passwords will take a long time. Sensibly, the cyberattacker will try each password against every account they are aware of in potentially a random order (spray attack). This approach is effective because few systems track password attempts across accounts. Even when Security Information and Event Monitoring (SIEM) or User and Entity Behavioral Analysis (UEBA) systems are active, there are limited defensive actions. You can’t lock out every account. Blocking the source IP address will result in a new IP taking up the attack, if it hasn't already distributed across 100s, or even 1000s, of IP addresses.

The optimal defense against this kind of attack is simply to not use a password on the list. Frequent password changes trigger our laziness, so “password” becomes “p@ssw0rd” and “Password!” Every password cracker is aware of these poor password practices. Replacing letters with numbers and symbols is also a predictable practice. For example, 3 for E, 4 for A and @ for a. Password cracking tools prepare for these common variations.

Attackers seek to learn basic information about password complexity, such as minimum and maximum password length, as well as password complexity. For example, does the password have upper-case and lower-case letters, numbers, symbols, or a combination? Attackers are also interested in learning about restrictions on the passwords. These parameters could be:

• Including an upper-case letter
• Not starting with a number or symbol
• Needing a minimum number of a particular character type or language

By restricting the repetition of characters, these password generation controls reduce the number of combinations the attacker must consider, and thus, undermine a password’s effectiveness. Password hacking tools have options to define these restrictions to expedite the attack process.

For individual users and personal accounts, it’s unlikely this kind of attack is successful. Attacks on a single account are likely to trigger a lock-out. A brute-force attack at a low velocity could literally take forever to find the right login combination, even for relatively short passwords.

Password hacking tools are ideal for automated password guessing of multiple accounts, but equally adept at trawling through data looking for common themes, phrases, and information.

In this section, we will look at common password cracking techniques. Some of these techniques may overlap in tools and methodologies. Attackers often blend multiple, complimentary tactics to improve their chances of success.

One of the most popular password attack techniques is simply guessing the password.

Most of today’s systems take mercy on humans as we have countless passwords to remember. The systems permit us to make some mistakes, without locking us out of our account. When lockouts do occur, they generally last less than 30 minutes.

1. Random Guesses

Usernames are the portion of credentials that do not change, and are also highly predictable, regularly taking the form of first initial plus surname. Usernames are commonly an email address, something widely communicated. An attacker now has half the details needed to log into many of your systems. All that’s missing is the password.

A random password guess rarely succeeds unless it’s a common password or based on a dictionary word. Knowing information about the target identity enhances the likelihood of a successful guess by a threat actor. This information is gathered from social media, direct interaction, deceptive conversation, or even data aggregated from prior breaches.

The most common variants for passwords susceptible to guessing include these common schemas:

• The word “password” or basic derivations like “p@ssw0rd”
• Derivations of the account owner’s username, including initials. This may include subtle variations, such as numbers and special characters.
• Reformatted or explicit birthdays for the user or their relatives, most commonly, offspring or other special dates
• Memorable places or events
• Relatives’ names and derivations with numbers or special characters, when presented together
• Pets, colors, foods, or other important items to the individual

While automated password cracking tools are not necessary for password guessing attacks, they will improve the success rate.

Password guessing attacks tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts. When account holders reuse passwords across multiple resources with poor password hygiene practices, the risks of password guessing and lateral movement dramatically increase.

2. Dictionary Attacks

Dictionary attacks are an automated technique utilizing a password list against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use lists of common single words, like “baseball,” to crack a password, hack an account, and launch the nefarious mission of the threat actor.

If the threat actor knows the targeted account's password length and complexity requirements, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements.

An effective dictionary attack tool lets a threat actor:

• Set complexity requirements for length, character requirements, and character set
• Manually add words and combinations of words/names customized for the target
• Target common misspellings of frequently used words that may have symbols replaced or added
• Operate in multiple languages

A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary attack.

The most common method to mitigate the threat of a dictionary attack is account lockout attempts. After “n” times of wrong attempts, a user’s account is automatically locked for a period of time and, after multiple lockouts, requires human intervention. The account must be manually unlocked by an authority, like the help desk or via an automated password reset solution. However, the lockout setting is sometimes disabled. Thus, if logon failures aren't monitored in event logs, a dictionary attack is an effective attack vector for a threat actor.

3. Brute Force

Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the fastest modern systems, with a password of eight characters or more.

If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.

With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to perform attacks is determined by the time it takes to generate all possible password permutations. Then, the response time of the target system is factored in based on serial or multithreaded requests.

Brute force password attacks tend to be the least efficient method for hacking a password. Thus, threat actors use them as a last resort.

4. Credential Stuffing

Credential stuffing is an automated hacking technique that utilizes stolen credentials. These credentials are comprised of lists of usernames, email addresses, and passwords. Attackers often purchase “combo lists” on the dark web that provide these prepackaged email/password combos. The technique generally leverages automation to submit login requests directed against an application and to capture successful login attempts for future exploitation.

Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication based on previously discovered credentials using customized tools, typically with passwords obtained from the dark web from previous third-party breaches. This approach can entail launching millions of attempts to determine where a user potentially reused their credentials on another website or application.

Credential stuffing attacks prey on password reuse. These attacks only succeed because so many users reuse the same credential combinations across multiple sites without any form of MFA.

5. Password Spraying

Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations.

Over the past year, password sprays have regained prominence. Midnight Blizzard breached Microsoft by compromising a legacy, non-production test environment with an unsophisticated password spray attack. Cisco and Okta are also warning of large-scale password spray attacks leveraging a range of residential proxies to evade detection.

During a password spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before proceeding to attempt a second password, thus avoiding account lockouts.

The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts.

With poor password hygiene by any one user or on any single account, the threat actor will likely succeed in infiltrating the resource. This technique was recently used in the Microsoft Midnight Blizzard attack.

Social engineering attacks include variations of phishing emails, vishing (voice calls), password reset attacks, and even deepfake threats. These attacks entail learning as much as possible about the target so that the cybercriminal can make educated guesses about the target’s passwords.

Names of pets, children, spouse, addresses, birthdays, hobbies, friends are the most valuable information available to the threat actors. Factor in favorite movies, TV shows, authors, bands, actors, and more, and most social media accounts become an information gold-mine.

1. Phishing & Vishing

Phishing and vishing (voice calls) are often leveraged for information gathering for other attacks, as well as to plant malicious software (via attachments or links) on an endpoint. This malware could be used to siphon off passwords.

Phishing emails or vishing can also be a part of a spoofed password reset attack. One common tactic is for a phishing email to provide a link to click on for the purposes of resetting an account password. The attackers may claim this is due to potential compromise of an old password. The email may bare the logo and likeness of a merchant, such as a bank, retailer, or service provider. However, the link in the email routes the victim to a fraudulent password reset interface. The attacker then collects the legitimate password to crack into the victim’s legitimate account. For an employee, a fraudulent password reset email could even appear to come from the corporate help desk itself, when skillfully crafted (this type of phishing attack would have a high difficulty rating on the NIST Phish Scale).

These attacks are a constant reminder on why end-user training is so important. Users should always be vigilant to ensure solicitations for email addresses or phone numbers are indeed legitimate.

2. Forced, Automated Password Changes and Resets

Unfortunately, there is a common risk in resetting passwords that makes even automated password resets targets for threat actors. Resetting a password is the act of a forced password change by someone else, such as from the service desk or an application owner. This change is not initiated by an end user.

Automated password reset risks Include:

• Passwords reset via email or text message and kept by the end user
• Passwords reset by the help desk are reused every time a password reset is requested
• Password resets blindly given due to account lockouts
• Passwords verbally communicated can be heard aloud
• Complex password resets written down by the end user
• Pattern-based passwords a user predictably uses when reset

Anytime a password is reset, there is an implicit acknowledgment that the old password is at risk and needs to change. Perhaps it was forgotten, expired, or triggered a lockout due to numerous failed attempts. The reset, transmission, and storage of the new password poses a risk until the password is changed by the end user. Of course, sometimes the end user neglects to change the password at all.

Once an identity is compromised, threat actors can request a password reset and create their own password for the account.

Password reset best practices:

• The password should be random and exceed the complexity requirements per business policy.
• The password should be changed by the end user after the first logon and require two-factor or multi-factor authentication to validate for every subsequent request.
• Password reset requests should always come from a secure location and automation should be monitored.
• Public websites for businesses (not personal) should require additional verification for any ‘Forgot Password’ links.
• Password resets via email assume the end user still has access to email to access the new password. If the email password itself requires resetting, another transmission method must be established. This typically should involve human intervention.
• Do not use SMS text messages—they are insufficiently secure for sending password reset information.
• If possible, password resets should be ephemeral—the password reset should only be active for a predefined duration. If the end user has not accessed the account again within the predefined amount of time, an account lockout will occur.

Changing passwords frequently is a security best practice for privileged accounts (as opposed to personal or consumer accounts). However, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor owning your account and a legitimate password request.

3. Eavesdropping

Password eavesdropping refers to a password being overheard verbally by a threat actor. Password eavesdropping may be either inadvertent or intentional and can encompass both voice-based and digital eavesdropping to capture the audible disclosure.

Hopefully, no one in your business is shouting passwords across office, but some organizations still use voice calls to help desks to reset passwords. During these help desk calls, the updated password may be spoken to the user. It’s important that the user is prompted to reset the password upon first login, after using the temporary one from the helpdesk. This step mitigates password risk, as an eavesdropper cannot use the new password without revealing their activity.

Of course, voice is not the only way we "announce" our passwords. How many of us use Bluetooth keyboards that are transmitting our key presses over the air? While we take for granted the security of the transmission, it’s possible to compromise some types of Bluetooth communications.

In the early days of computing, you needed to physically connect to the machine you were accessing. The systems you were authenticating to were also running locally. Now, we regularly authenticate into systems on the other side of the world, and increasingly, that are not even our systems. Our passwords are transmitted electronically through many systems to reach their destination, and absent proper encryption and other protections, may be vulnerable to eavesdropping through wiretapping or wireless packet capture

4. Shoulder Surfing

Shoulder surfing enables a threat actor to gain knowledge of credentials through observation. This includes observing passwords, pins, and swipe patterns as they are entered, or even a pen scribbling a password on a sticky note.

The concept is simple. A threat actor physically observes or uses an electronic device like a camera to collect passwords and use them for an attack. This is why, when using an ATM, it's recommended to shield the entry of your PIN on a keypad. This prevents a nearby threat actor from shoulder surfing your PIN.

5. Passwords for Purchase

While password lists, hash tables, and rainbow tables are available on the dark web, users sometimes sell their own companies' credentials as a part of an insider attack. In fact, a rogue insider could sell credentials and claim they were breached, giving them plausible deniability. This insider threat is of particularly concern with privileged users, whose credentials could give access to the enterprise’s most sensitive assets.

The most effective way to address the risk of privileged credential compromise is to remove direct access and implement privileged access management (PAM) to safeguard the most sensitive accounts. All sessions relating to highly privileged accounts should be routed through a system that facilitates access, but without revealing actual credentials.

When an attacker manages to gain access to a system or website, they often aspire to steal the database containing the usernames and passwords for everyone who accesses the application. Even if the credentials are not humanly readable, they are stored as hashes. Stealing a password database provides at least three big benefits regarding password stealing:

1. Discovery of highly privileged user credentials that can be used to interact with the system or communicate machine-to-machine to other resources
2. A rich trove of credentials, probably used across multiple systems for authentication and authorization
3. The database can be attacked offline, without concern for any controls around the number or frequency of login attempts

Today, it’s unusual to find systems that do not encode user passwords. Attackers will encounter a list of values instead of the text passwords. When data has been encoded rather than encrypted, there is no way to turn the encoded form into the original value. An attacker’s only chance is to uncover the cipher and attempt to create encoded versions of passwords. This can then be compared against the stolen list. The encoding process is called "hashing," and the resulting encoded passwords are called "hashes."

Let’s take a closer look some common types of hash-based attacks:

1. Pass-the-Hash Attack

Pass-the-Hash (PtH) is a technique that allows an attacker to authenticate to a resource by using the underlying NT LAN Manager (NTLM) hash of a user’s password, in lieu of using the account’s actual human-readable password. Once obtained, a valid username and hash can be used to authenticate to a remote server or service using LM or NTLM authentication.

A PtH attack exploits an implementation weakness in the authentication protocol. The password hash remains static for every session until the password itself changes. PtH can be performed against almost any server or service accepting LM or NTLM authentication, including Windows, Unix, Linux, or another operating system.

Malware may scrape memory for password hashes, making any active running user, application, service, or process a potential target. Once obtained, it uses command and control or other automation for additional lateral movement or data exfiltration.

While PtH attacks are more common on Windows systems, they can also exploit Unix and Linux endpoints. Modern systems can defend against PtH attacks in a variety of ways. However, changing the password frequently or using one-time passwords (OTPs) is a good defense to keep the hash different between the sessions. Password management solutions that can rotate passwords frequently or customize the security token are an effective defense against this technique.

2. Pass-the-Ticket Attack

In a Pass-the-Ticket attack, a threat actor steals a Kerberos ticket-granting ticket (TGT) to impersonate a user on a network. When successful, this attack method bypasses authentication mechanisms, giving the attacker unauthorized access to resources.

Tools such as Mimikatz enable threat actors to launch pass-the-ticket attacks that move through the network by copying tickets from compromised end-user machines, or from a delegated authorization server.

Cybercriminals typically launch a pass-the-ticket attack in one of two ways:

• Stealing a Ticket Granting Ticket or Service Ticket from a Windows machine and using the stolen ticket to impersonate a user
• Stealing a Ticket Granting Ticket or Service Ticket by compromising a server that performs authorization on the user's behalf

In a Golden Ticket attack, an attacker attempts to steal the hash of the KRBTGT account on a domain controller. This is the account used by Kerberos to encrypt Ticket Granting Tickets. If successful in a Golden Ticket attack, a threat attacker could generate unlimited tickets, granting any level of access, with virtually unlimited lifetimes.

Protection against pass-the-ticket threats requires multiple controls. Strong privileged account and session management (PASM) can enforce frequent password rotations and eliminate shared passwords. Layering on endpoint privilege management (EPM) can enforce least privilege to further reduce the number of allowable privileged logins and to restrict lateral movement. Identity threat detection and response (ITDR) capabilities can rapidly pinpoint anomalous activity and orchestrate a response to prevent or limit damage.

3. Kerberoasting Attack

Like pass-the-ticket attacks, kerberoasting exploits the Kerberos authentication protocol. In kerberoasting attacks, threat actors target service accounts associated with Service Principal Names (SPNs), which are used to uniquely identify each instance of a service running on a system.

To launch the attack, the adversary requests a Kerberos Ticket Granting Service (TGS) ticket for a targeted service account from the Key Distribution Center (KDC). Working offline to help avoid detection, the attackers attempt to brute force the hashed password stored within the TGS ticket. If the password is cracked, attackers can potentially compromise the entire network through the compromised service.

Organizations can effectively protect against kerberoasting via at least several different security controls, particularly across the privileged access management (PAM) and ITDR disciplines. For instance, enforcing strong passwords, and onboarding service accounts for management (rotating credentials, etc.) and monitoring can improve resistance against kerberoasting. ITDR can proactively identify accounts potentially vulnerable to kerberoasting due to the use of weak ciphers, and recommend mitigations to harden the security posture.

4. Rainbow Table Attack

Hashing ciphers are complex and usually well-known, which means there are a limited quantity to try. The limited availability of reliable ciphers leads to another tool in the attacker’s arsenal, the hash table. A hash table is a precomputed list of hashed passwords in a simple comparison against the stolen data.

Whereas a hash table will store the passwords and hashes for a particular cipher, Rainbow Tables hold the passwords and hashes for multiple ciphers. They then shrink the data to more manageable levels—though the files are still relatively large.

A common approach to defeating hash tables and Rainbow Table Attacks is to "salt" the hash. This applies an extra, unique encoding to each password. Even though the cipher is the same, without the salt, it won’t result in the same hash. Salting the hash renders the hash table redundant. Using long, complex, unique passwords and multi-factor authentication also provides protection against Rainbow Table Attacks and hash tables.

A few examples of today's most notable and popular password cracking tools include:

• Cain and Abel
• John the Ripper
• Hydra
• Hashcat
• Ophcrack

Some specialized tools, such as Wifi password crackers, Windows password crackers, etc., are designed to crack specific kinds of password types.

Today, companies frequently engage ethical hackers and penetration testers to increase the resiliency of their security networks. Subsequently, the availability and development of cracking software has increased for both good and nefarious purposes. Modern computer forensics and litigation support software also includes password cracking functionality to obtain evidence. The most sophisticated cracking software will incorporate a mixture of cracking strategies to maximize productivity and effectiveness.

Some password cracking techniques rely on system vulnerabilities or gaining access to a privileged account to achieve lateral movement and amass other passwords. However, most cracking relies on inadequate password hygiene, poor identity security, and absence of appropriate credential management and identity tools.

Let’s look at a few practices that make cracking passwords an easy hacking exercise.

1. Common and Reused Passwords

Humans are creatures of habit. This means there are certain words used more commonly as passwords than others.

When Game of Thrones was first screening, "dragon" rose quickly to become one of the more commonly used passwords. People frequently use the names of pets, children, spouse, and streets, as well as their birthdates.

Social media sites regularly encourage people to share the name of their favorite pet or share details from their childhood. Brilliant mechanisms to help build the lists of predictive passwords used in attacks!

Each year, lists reveal the most commonly used passwords, and certain passwords annually re-appear. Here’s the top ten list (courtesy of the CyberNews Investigation team) as of November 2023:

1. 123456
2. 123456789
3. qwerty
4. password
5. 12345
6. qwerty123
7. 1q2w3e
8. 12345678
9. 111111
10. 1234567890

The UK’s National Cyber Security Centre publishes a list of the 100k most commonly used passwords. These are gathered from data on Troy Hunt’s ‘Have I Been Pwned’ website. Troy aggregates the credentials revealed in successful attacks into a searchable database. This now contains information on over 11 billion accounts. That's more than one account per person on the planet! Both resources are eye-popping, and it's well worth checking your credentials from time-to-time.

There’s little imagination amongst the most common passwords, and those are going to be the first passwords attackers try against your accounts.

2. Embedded Credentials

Embedded credentials (also called ‘hard-coded credentials’) refer to unencrypted, text-based credentials inserted within code. Embedded credentials may:

• Come as a factory default, such as for an IoT device or first use of an application
• Be embedded into the code by a human, such as with a DevOps tool or data repository
• Be embedded in applications and used for app-to-app transmissions

The existence of embedded credentials presents several risks. Sometimes, credentials are embedded during development for easy access, then forgotten and published into production. Pieces of code may be shared on GitHub or another platform for collaboration, but with sensitive passwords embedded within. If an attacker gains access to an endpoint or system, they may be able to scan for plain text passwords. This can grant them access to sensitive asset via embedded secrets.

Default, hard-coded passwords are used across many of the same devices, applications, and systems. This helps simplify setup-at-scale, but at the risk of providing the potential for breach-at-scale.

Many types of embedded credentials (such as those within IoT) are difficult or impossible to manually remove or replace, and typically require a vendor security update to remediate or use of a specialized PAM tool.

3. Default Credentials

Default credentials are simply the factory presets. They are frequently embedded into devices and applications. Often, these defaults are shared across similar devices. The defaults may be well-known by threat actors. Devices, systems, and accounts with defaults are susceptible to dictionary, brute force, and many other types of attacks. If an organization has many endpoints that all share the same, unchanged, defaults, all such endpoints could easily be compromised en masse.

In recent years, legislation has been passed to mandate enhanced security hardening for IoT devices, including ensuring that passwords are unique upon reset or for initial configuration. While this password practice can mitigate attacks en masse, the default credential is often physically available on the device in clear text or via a QR code. This implies physical security is just as important as digital security for default credentials and device resets.

4. Reused Security Questions

Security questions are a technique primarily used by financial institutions and merchants to verify a user against their account and provide identity confidence. The concept is to ask the user questions, challenging the user to respond to private and personal information that only the user knows.

Security questions are often required when you set up a new account. This is a form of two-factor authentication for use in case of a forgotten password. The end user may receive a prompt to respond to security questions when logging on from a new location. They also may be prompted when they select “forgot password” or when they change their password.

Some common security questions include:

• What hospital were you born in?
• What is the name of your favorite pet?
• What was the make of your first car?
• What is your favorite food?
• What was your childhood nickname?
• What is your favorite team?

However, these security questions themselves present risks. The answers to some of these questions may be easily found via public records, or social media. The more places and people that know a user’s security question answers, the more likely they can be answered by someone else. When security questions and their answers are stolen in a breach, they may be used to crack into other accounts.

When a resource requests that you use security questions, our recommendation is to use the most obscure questions and answers possible. Never share similar information with another site that uses the same security questions. And if possible, use the complexity requirements from passwords to supply a security question answer. For example, if you were born in Orlando, provide the security question answer of “Orl@nd0” and treat the response as a password, too.

5. Lack of Automated Password Managers

Any password practice that relies primarily or completely on humans to manage credentials and maintain best practices poses a risk. The sheer number of personal passwords, let alone enterprise account passwords, is far too high for any mere mortal to adequately manage and remember.

Relying on humans is a guarantee that passwords will be reused, and dictionary passwords will be used as well. Passwords will be embedded in code for easy access. Other risky shortcuts will be taken—this is simply human nature.

Therefore, consider secure methods for generating, storing, and retrieving all passwords.

1. Use Password Managers & Vaults – Not Humans

Wherever possible, rely on automated password managers rather than manual human password management. Do not store passwords in spreadsheets, word documents, embedded in code, or on paper. Password managers can ensure password management and security best practices are consistently enforced. These tools can auto-inject vaulted credentials to initiate a session. Credentials are obscured from the user, such as a vendor, to provide added security.

Personal Password Managers can be leveraged for standard passwords and account access. Privileged Password Management solutions (also referred to as Enterprise Password Management or Privileged Account and Session Management solutions) should be used for privileged credentials. Such credentials include passwords, SSH keys, and DevOps secrets for employees, vendors, humans, applications, and machines. These enterprise solutions are part of privileged access management (PAM) platforms, and also essential for enabling a zero trust security posture. Increasingly, these platforms also secure general workforce passwords used for applications. This reflects the blurring line between unprivileged and unprivileged identities. For instance, cloud accounts may possess many types of permissions and entitlements, which could offer a skilled attacker a prime foothold with which to escalate access.

Enterprise password management solutions can also automate workflows to reduce exposure. This includes automatically rotating a password, if it's determined the credential was or is at risk of compromise.

2. Discover and Onboard All Passwords

When granting access to a human, machine, application, employee, or vendor, all passwords must first be known--only then can they be onboarded and centrally vaulted. In addition, all assets that use managed passwords should be known and documented to prevent inappropriate access.

3. Create Long, Random, Unique Passphrases

Strong passwords resist password cracking attempts. Passwords should be over eight characters in length and made up of both upper and lowercase letters, numbers, and symbols. Avoid using dictionary words, names, and other human-readable passphrases. Length and strength should reflect the sensitivity of the account the password is meant to protect. According to NIST Special Publication 800-63, Digital Identity Guidelines, a best practice is to generate passwords of up to 64 characters, including spaces.

4. Encrypt passwords

Encryption adds a protection layer for passwords, even if they are stolen by cybercriminals. Apply end-to-end encryption that is non-reversible to all paths of network communication. In this way, you can protect passwords in transit over the network. The most common way of ensuring this protection for consumers is providing WiFi encryption for your home network wireless access.

5. Use Unique Passwords, Without Reusing

This simple best practice protects against a broad array of password re-use strategies and password cracking tools. Otherwise, if one account is breached, other accounts with the same credentials can easily be compromised.

6. Implement Password Expiration and Rotation Best Practices

Here the best practices have diverged, depending on whether the passwords are for personal use and/or standard accounts or whether they are for privileged access. NIST advises to avoid changing personal passwords, unless their compromise is in question. On the other hand, privileged passwords, should be routinely changed (rotated). The most sensitive privileged accounts should use one-time-passwords (OTPs) or dynamic secrets, which expire after each use.

7. Implement Multi-Factor Authentication

For every account, and particularly for privileged accounts and vendor/remote access, single-factor authentication (password/username pair) is insufficient. Adding additional authentication factors substantively strengthens protection and increases assurance that the identity trying to initiate access is who they say they are.

Multi-factor authentication (MFA), by incorporating factors such as endpoint or biometrics, authenticator applications, protects accounts against password cracking tools and guessing attacks by requiring an extra step to provide identity confidence for authentication. With that said, some forms of MFA, like FIDO2, are stronger than others, as has been demonstrated by breaches in recent years, such as via MFA fatigue attacks.

8. Retire Passwords When an Employee or Vendor has Departed

It's not uncommon for former employees to try to continue to access the organization's systems. Always deprovision access and change passwords when an employee departs for all systems that may have been shared. This not only protects from attacks by the employee, but from other threat actors who might come across the orphaned accounts and credentials due to faults in a joiner, mover, and leaver process.

Enterprise identity security is predicated on the consistent enforcement of password security best practices. However, taking a risk management approach, organizations must prioritize the highest-impact identities first. With so many disparate identity stores, systems, and SaaS applications (which entail tens of thousands of planes of privileges, entitlements, and permissions), this is no easy feat.

BeyondTrust’s groundbreaking Identity Security Insights was purpose-built to solve for this core identity security challenge. Organizations may have a mix of Active Directory, Entra ID, Okta, PingOne, AWS, Azure, Google Cloud, and SaaS applications that comprise their identity fabric. With Identity Security Insights, you can cohesively protect it as ONE Identity Attack Surface. The product is a key reason BeyondTrust was recently named a leader by KuppingerCole in the emerging discipline of Identity Threat Detection and Response (ITDR).

The product helps ensure proper password security and identity posture with comprehensive identity vulnerability detections, such as:

• Non-privileged accounts that can retrieve password hashes from AD Domain Controller via a DCSync attack
• Accounts with personal email addresses
• Excessive permissions, privileges, and entitlements
• Unmanaged privileged accounts
• Privileged accounts that lack MFA
• Non-privileged accounts with attack paths to Domain Admin for on-premises AD
• Accounts vulnerable to Kerberoasting

Identity Security Insights also continuously monitors your identity fabric, alerting you to suspicious activities such as:

• Password spray attacks
• Malicious IP Sign-In
• Excessive API Registration read events
• Excessive managed account password read events
• Dormant accounts that suddenly try to leverage privileged access

The product’s ability to pinpoint threats was key in galvanizing BeyondTrust’s rapid response to neutralize an attack via the Okta support breach. BeyondTrust swiftly alerted Okta to their breach weeks before Okta publicly acknowledged the attack.

BeyondTrust offers a free identity security assessment via Identity Security Insights, along with 30 days of free monitoring.

Our customers are effectively using the solution to close identity security gaps and improve their defense against account hijacking attacks, privileged escalation attempts, unwanted lateral movement, and other identity-based threats

Identity Security Insights also combines with BeyondTrust Password Safe and other solutions to improve the richness of context around detections, and to activate the right responses with velocity and precision.

BeyondTrust Password Safe is a comprehensive privileged account and session management solution that secures human and machine credentials, and monitors and manages every privileged session. In addition, the product extends password protection to workforce identities. The solution enables a just-in-time access model and supports zero trust security controls over-privileged accounts and credentials.

Working together, Password Safe and Identity Security Insights can ensure passwords for humans (employees, vendors, etc.) and machines (service accounts, RPA bots, etc.) are under management and properly protected—even from sophisticated, modern threats.

Contact us to learn more.

• Privileged Password Management Explained (guide)
• How to Access Privileged Passwords in ‘Break Glass’ Scenarios (technical paper)
• Password Spray Attacks are on the Rise—Here’s How to Defend Yourself (blog)
• How to Manage and Secure Service Accounts: Best Practices (blog)
• Buyer’s Guide for Complete Privileged Access Management (PAM)
• Shelter from the Storm – What Midnight Blizzard’s Attack on Microsoft Tells Us about Modern Identity-Based Attacks (blog)