Strong passwords make it significantly more difficult for hackers to crack and break into systems. Strong passwords are considered over eight characters in length and comprised of both upper and lowercase letters, numbers, and symbols.
The US National Institute of Standards and Technology (NIST) recommends creating long passphrases that are easy to remember and difficult to crack. According to Special Publication 800-63, Digital Identity Guidelines, a best practice is to generate passwords of up to 64 characters, including spaces.
Two-factor authentication has become a standard for managing access to organizational resources. In addition to traditional credentials, like username and password, users have to confirm their identity with a one-time code sent to their mobile device or using a personalized USB token. The idea is that with two-factor (or multi-factor) authentication, guessing or cracking the password alone is not enough for an attacker to gain access.
11. Protect Accounts of Privileged Users: Passwords for privileged user accounts require special protections, such as via privileged access management software. Unlike personal passwords, privileged credentials should still be regularly changed, even after every use for highly sensitive credentials). Also, these credentials should be injected and never directly visible or known to the end user, for a further measure of security.
By leveraging a password manager, you only need to remember one password, as the password manager stores and even creates passwords for your different accounts, automatically signing you in when you log on.
Credentials are involved in most breaches today. Forrester Research has estimated that compromised privileged credentials are involved in about 80% of breaches. When a compromised account has privileges, the threat actor can easily circumvent other security controls, perform lateral movement, and crack other passwords. This is why highly privileged credentials are the most important of all credentials to protect.
In this section, we will look at common password cracking techniques. Some of these techniques may overlap in tools and methodologies. Attackers often blend multiple, complimentary tactics to improve their chances of success.
If the threat actor knows the password length and complexity requirements of the target account, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements.
If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language.
Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations.
The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts.
Names of pets, children, spouse, addresses, birthdays, hobbies, friends are the most valuable information available to the threat actors. Factor in favorite movies, TV shows, authors, bands, actors, and more, and most social media accounts become an information gold-mine.
Changing passwords frequently is a security best practice for privileged accounts (as opposed to personal or consumer accounts). However, resetting passwords and transmitting them through unsecure mediums is not. For the individual, a simple password reset can be the difference between a threat actor owning your account and a legitimate password request.
Today, companies frequently engage white hat hackers and penetration testers to increase the resiliency of their security networks, including password cracking. Subsequently, the availability and development of cracking software has increased. Modern computer forensics and litigation support software also includes password cracking functionality. The most sophisticated cracking software will incorporate a mixture of cracking strategies to maximize productivity.
Some password cracking techniques rely on system vulnerabilities or gaining access to a privileged account to achieve lateral movement and amass other passwords. However, most cracking relies on inadequate password hygiene and absence of appropriate credential management tools.
Social media sites regularly encourage people to share the name of their favorite pet or share details from their childhood. Brilliant mechanisms to help build the lists of predictive passwords used in attacks!
Any password practice that relies primarily or completely on humans to manage credentials and maintain best practices poses a risk. The sheer number of personal passwords, let alone enterprise account passwords, is far too high for any mere mortal to adequately manage.
3. Create Long, Random, Unique Passphrases: Strong passwords resist password cracking attempts. Passwords should be over eight characters in length and made up of both upper and lowercase letters, numbers, and symbols. Avoid using dictionary words, names, and other human-readable passphrases. Length and strength should reflect the sensitivity of the account the password is meant to protect. According to NIST Special Publication 800-63, Digital Identity Guidelines, a best practice is to generate passwords of up to 64 characters, including spaces.
5. Use Unique Passwords Without Repeating: This simple best practice protects against a broad array of password re-use strategies and password cracking tools. Otherwise, if one account is breached, other accounts with the same credentials can easily be compromised.
6. Implement Password Expiration and Rotation Best Practices: Here the best practices have diverged, depending on whether the passwords are for personal use and/or standard accounts or whether they are for privileged access. NIST advises to avoid changing personal, unless their compromise is in question. On the other hand, privileged passwords, should be routinely changed (rotated). The most sensitive privileged accounts should use one-time-passwords (OTPs), or dynamic secrets, which are expired after each use.
7. Implement Multi-Factor Authentication: For sensitive accounts and vendor/remote access, single-factor authentication (password/username pair) is insufficient. Adding additional authentication factors greatly increases protection and increases assurance that the identity trying to initiate access is who they say they are. Multi-factor authentication (MFA), by incorporating factors such as endpoint or biometrics, protects accounts against password cracking tools and guessing attacks.
8. Retire Passwords When an Employee or Vendor has Departed: It is not uncommon for former employees to try to continue to access the organization's systems. Always deprovision access and change passwords when an employee departs. This not only protects from attacks by the employee, but from other threat actors who might come across the orphaned accounts and credentials.
Enterprise identity security is predicated on the consistent enforcement of password security best practices. However, taking a risk management approach, organizations must prioritize the highest-impact identities first. This entails illuminating the landscape of privileged identities and credentials. You can start by leveraging the most powerful free tool for identifying privileged accounts and access across your environment - the BeyondTrust Privileged Account Discovery Application - no download necessary.
The company also allows people who use a shared password to transfer their personalized profile information to either a new account or a sub account, allowing them to keep their viewing history and recommendations.
A survey from research organization Time2Play suggested about 80% of Americans who use someone else's password wouldn't get their own new account if they couldn't share the password. It didn't survey how many current account payers would be willing to pay more to share with others.
Netflix's plan is unprecedented. No major streamer has ever cracked down on password sharing before. Other owners of streaming services, such as Disney, Warner Bros. Discovery, Comcast's NBCUniversal and Paramount Global, will likely not set their own plans until after reviewing Netflix's password-sharing reforms.
Some account holders will undoubtedly be surprised when they receive news from Netflix that their passwords are being shared. It's also unclear how long Netflix would allow those watching on a shared account to maintain access if the primary account holder chooses not to pay the additional fee.
Beginning today, you can now completely remove the password from your Microsoft account. Use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to your favorite apps and services, such as Microsoft Outlook, Microsoft OneDrive, Microsoft Family Safety, and more.
Except for auto-generated passwords that are nearly impossible to remember, we largely create our own passwords. But, given the vulnerability of passwords, requirements for them have gotten increasingly complex in recent years, including multiple symbols, numbers, case sensitivity, and disallowing previous passwords. Updates are often required on a regular basis, yet to create passwords that are both secure enough and memorable enough is a challenge. Passwords are incredibly inconvenient to create, remember, and manage across all the accounts in our lives. 1e1e36bf2d