All that often stands between a malicious hacker and access to valuable, confidential data is a few keystrokes: an end-user's or admin's password. Yet even the most carefully crafted and well-guarded password is susceptible to being stolen from an innocent victim, and crafty miscreants have numerous techniques at their disposal to do the dirty deed.
In order to protect users and your organization from a password attack, you must first have a clear understanding of the various tactics available. From there, you can develop policies and educate users to prevent such an attack from succeeding. Today, we'll take a closer look at some of the types of attacks, as well as the best approaches to squelching them.
[ Are your organization's passwords strong enough? | Roger shares more advice on managing passwords: "Password size does matter" | "Getting a grip on better password hashes" | "Ask better password questions" ]
The most popular password attacks include authentication bypassing; guessing; network sniffing or eavesdropping; keystroke logging; hash cracking; credential replaying; and social engineering.
This attack entails simply hacking around the authentication check. A common example: A would-be hacker uses a separate boot disc with the ability to read the targeted data partitions so as to bypass the normal log-on prompts and access the data directly. Another example would be an attacker using a remote buffer overflow (or SQL injection, and so on) against a running application or service to gain unauthorized access to the data.
Here, an attacker attempts to guess a user's password by making multiple (sometimes thousands or millions) log-on attempts using proposed passwords against some sort of log-on prompt. Common guessing locations include the normal log-on prompt, Web-based e-mail, FTP, and remote management consoles.
This attack is launched by installing a network protocol analyzer (a sniffer) on the network communication's path between the authentication client and the server containing the authentication database. Even if the network is a 100 percent switched, "poisoning" the switch into hub mode or sniffing at an aggregation point it isn't nearly as hard as most people think. Either way, any plaintext log-on credentials can easily be picked up. Most networks have more plaintext passwords flying around than admins know -- or want to know. This attack is particularly dangerous in that it does not require elevated privileges and can be "silently" implemented.
Here, a hacker compromises a computer with a keystroke-logging malware program, which records log-on credentials as the end-user types them in. The keylogger stores the captured keystrokes for pickup or sends them to the remote hacker. Installing a keystroke logger usually (although not always) requires elevated permissions and privileges.
This form of attack necessitates elevated credentials (administrator or root) or performing an authentication bypass attack to access the credential database. Once the attacked accesses the authentication database, he or she can be query it to cough up the stored password hashes; most passwords are stored using their hashed derivatives instead of plaintext to complicate unauthorized recovery. Depending on multiple variables, such as password length, hash algorithm used, salting, and so on, converting the hash to its plaintext equivalent can be easy or hard. Unfortunately, it's often very easy once the hash is obtained.
This technique requires the attacker to first obtain log-on credentials, such as password hash, which he or she then uses to replay across the network to access otherwise unauthorized resources. The pass-the-hash attack is a great example.
Forget all the technical stuff: A bad guy can just ask an end-user for his or her password in person, over the phone, or ever more popular, through phishing e-mails or convincing-looking fake Web sites. Getting a user's password is far easier than it should be. It's nearly child's play.
Mounting your defense
With so many ways for passwords to be compromised, how do you defend against them? Well, there are plenty of techniques, some of which are common and work against multiple types of attacks and others that work only against specific types.
The best protection of all is a strong password policy, which can complicate many of the attacks. A strong password policy includes a decent minimum password length (say, a 10- to 12-character minimum), enforced complexity, prevention of password re-use, and forced password changes (say, every 45 to 90 days as a maximum life). If your password policy doesn't have these minimum recommendations, it isn't considered strong.
Reducing the amount of software and services running on a computer will give an intruder less software to compromise to get around authentication protections. All software, OS and otherwise, should be fully security patched. When software or an end-user is logged on, it should be running with nonelevated privileges whenever possible.
Security domain isolation, in which computers and networks are insolated in what they can see of each other, will prevent intruders from one host or network from easily compromising other hosts and networks. For example, if an attacker compromises a network and installs a sniffer, if the network traffic can never be rerouted to the attacker's site, the password credentials cannot be pulled off the wire. In another example, if the attacker compromises an authentication database on one server, he or she can't immediately use it to compromise another. In most instances, most servers don't need to access other servers. Workstations don't normally need to access other workstations unless there is a workstation-level file or printer share. and the average workstation doesn't need to access every server -- so don't let them. You can use IPSec, firewalls, VLANs, or access control lists to enforce security domains.
Lastly, minimize password re-use between security domains. Attackers love when users and admins re-use their now compromised passwords between separate and distinct security domains.
All these protections will make any of the password attacks harder to pull off, but the following table lists some of the specific mitigations that can be used against specific attack types:
Password attacks and defenses
|Authentication bypassing||Physical access control; system/boot volume encryption; boot/volume integrity verification to prevent root kits and boot-up modifications|
|Password guessing||Long and complex passwords; account lockout policies; two- or multiple-factor authentication; IP address restrictions|
|Network sniffing/eavesdropping||Security domain isolation; non-plaintext passwords; sniff your own network to audit; secure authentication channels; secure authentication protocols; anti-sniffing, anti-poisoning technologies; don’t let attacker install sniffer in the first place|
|Keystroke logging||Don't get tricked into installing Trojan malware; don’t be logged on using an elevated account all the time; anti-malware prevention/detection software|
|Hash cracking||Use strong password hashes; disable weak password hashes; use long and/or complex passwords; prevent intruder from gaining elevated access on an authentication database computer|
|Credential replaying||Use strong authentication protocols; implement anti-replay technologies and mechanisms; prevent intruder from gaining elevated access on a computer|
|Social engineering||End-user education program; phish your own users and educate who needs help|
Now you know what password attacks your organization might face. Use this information to make sure you are protecting against the password attacks they way you're meant to.