Are we overcomplicating password security?

Tod Beardsley at Rapid7 argues that strong passwords are an essential part of any cyber-security strategy; but they need to be handled properly

 

While we have entered the era of advanced and sophisticated cyber-attacks, passwords still remain the most common pitfall of an enterprise network.

 

Despite the National Cyber Security Centre (NCSC) repeatedly warning users about the importance of strong passwords to protect organisations, the latest research report published by Rapid7 shows that most automated attacks are still using well-known or default passwords. This tells us that cyber-criminals are still successful breaching companies with easy passwords such as ’123456’.

 

Whilst organisations and cyber-security experts are always discussing complex password managers and security systems, a simple space within a password or longer character passwords could be enough to protect against most opportunistic, automated cyber-attacks.

 

Reasons for the popularity of default credentials

Our latest research investigated the two most popular protocols used for remote administration, Secure shell (SSH) and Remote Desktop Protocol (RDP). It discovered that RDP’s three most popular attempted usernames by automated attacks were ’administrator’, ’admin’ and ’root’, and the three most common attempted passwords were ‘ ‘ (the empty string), ‘123’ and ‘password’.

 

For SSH, the three most popular attempted usernames were ‘root’, ‘ubuntu’ and ‘guest’; and the most common attempted passwords were ‘123456’, ’nproc’ and ’test’. Whilst they are all different usernames and passwords, the one thing they all have in common is that they’re weak and easy to guess. So, why is this the case?

 

Convenience is likely a big factor for most users. Almost all applications today require the users to sign in. This means that the users must remember the passwords for all the different applications they use on a daily basis, leading to dozens of different combinations to remember. Having a standard password for all these applications then seems like a brilliant solution.

 

However, most users need to realise how dangerous this can be. Many users don’t realise or comprehend the risk of having a default password. Organisations must therefore emphasise the importance of password management, and IT teams must make sure that the users are not just aware of the risks and good password processes but take steps to enforce them.

 

Additionally, users have a lot to do, or they might be busy, which can put the importance of good password practices on the back burner. They might not feel that password management is a priority, which can, in turn, put themselves and their organisation at risk.

 

We have been successful in establishing why these passwords are bad. But it is interesting to understand where this ’trend’ of bad passwords originated.

 

Using the RockYou leak as a window into bad passwords

Rapid7 analysed the data collected by our RDP and SSH honeypots and discovered that there have been tens of millions of connection attempts. The honeypots captured 512,002 unique passwords and 215,894 unique IP source addresses across both RDP and SSH.

 

This list provided us a useful view into the passwords actively being used in attack attempts today. For more context, we compared it to the colossal RockYou breach of 2009.

 

RockYou developed widgets and plugins for social media sites, and threat attackers extracted passwords for various users’ accounts which were stored entirely unencrypted. A list of credentials, including over 14 million passwords, became a part of the original ’rockyou.txt’ file, which cyber-criminals used to orchestrate attacks.

 

Shockingly, nearly all (upwards of 99%) passwords our honeypots captured were in the much larger rockyou2021.txt list. Many users reuse their passwords rather than using a password generator, which has benefitted the threat actors significantly. To protect their credentials, users must understand how to secure their passwords.

 

Simple tricks to secure passwords

One of the essential tricks to secure passwords is using random long strings generated by password managers, which provides a strong defence against automated attacks mainly carried out by bots. Credentials generated by password generators also ensure that these randomly created strings are not included in any lists or dictionaries compiled by threat actors.

 

Using password generators has its shortcomings, however. They are often deemed challenging and unintuitive for the average user. Password generators tend to be seen as inconvenient with an unfamiliar user experience and unknown branding, which stops most users from benefiting from this service.

 

Nonetheless, as users continue to use default passwords, threat actors still have a great scope for a successful attack. It also brings to light that password managers are still not a default method for generating and storing passwords in most organisations. Password generators, however, help the enterprise immensely, so organisations need to highlight the use of password managers to create robust, lengthy, and random passwords.

 

The length of the password needs to be prioritised over its complexity. A password should be about 12 characters long, including a few special characters. An easy way to ensure that your password is secure is by adding space within the characters in the credentials — none of the automated attacks we observed included space characters in their guesses, and including spaces is often troublesome for amateur malware developers.

 

Moreover, having a ’password notebook’ at home to keep a log of different lengthy passwords is also a fine option, especially in the age of remote working, although they come with their own shortcomings. Targeted attacks, however, are a completely different story. Hence saving the passwords physically rather than on the device makes it less vulnerable to online attacks, but more vulnerable to local, physical attacks (like nosey kids).

 

The key takeaway is that it is crucial to focus on protecting the user accounts by using good password practices. Users and companies must condition themselves to generate lengthy passwords containing a few special characters, which is the need of the hour.

 

If good password practices are exercised, there is an excellent possibility that the defence against automated opportunistic attacks against RDP and SSH is effectively a solved problem, and you can move on to defending against more sophisticated attacks.

 

---

 

Tod Beardsley is Director of Research at Rapid7

 

Main image courtesy of iStockPhoto.com