Bad Passwords Are Like No Passwords

August 2020 | Michael Wetherald

Organizations spend a fortune on security solutions which help identify when a machine is being compromised. But why would criminals go through the trouble of exploiting a host and risk detection if they can walk right in with a poor password?

How are passwords exploited?

Let’s outline a few common ways passwords are exploited, and define characteristics which will make it more difficult for a criminal to exploit.

1. Exploiting Default Credentials

One of the first things criminals will do is look up default credentials for a device and attempt to log in. I’ve personally run into a modem/router combination device from an ISP which had the default WiFi password set to the MAC address of the device. This MAC address is broadcast with every packet and can easily be picked up by packet capture devices. To the average person, the mac address seems like a random assortment of letters and numbers and they are fooled into trusting it as a secure password. Even if you think it’s random, change the default password to something you know is secure.

2. Password Guessing

Another way criminals can exploit passwords is by repeatedly attempting different passwords until one works. There are massive lists of the most commonly used passwords, and tools which will generate all possible combinations of valid characters which can be used to guess passwords.

This is commonly done on something called password hashes. Instead of storing passwords in plain text, appropriately engineered password management systems will store a hashed version of the password instead. There are many different types of hashing algorithms, but for our purposes we have a one-way hashing algorithm. Which means you take a password, pass it into an algorithm and out comes a new set of randomized characters which cannot be converted back into the original set of characters (hence one-way). If a criminal gains access to the database containing user credentials, they should only find these password hashes instead of your password.

The criminal can then use a password list, or password generating tool to test one password after the other at incredibly high rates a single high end consumer GPU can test upwards of tens of billions of hashes per second.

3. Password Spraying

If the criminal doesn’t have access to password hashes, another common technique is to do something called password spraying. This involves using a list of commonly used passwords against many different users. Many services will limit login attempts within a certain period of time, but only per user. Password spraying involves using those passwords against as many users as they can find until they match without ever tripping the failed attempt limit for any users.

Defend Your Organization

In our article "What Makes a Good Password?" we discuss what characteristics compose a password that makes it difficult and unlikely for a criminal to defeat. Armed with this information you can intelligently develop a password policy that works for your organization. If the criminal can walk right in because you allow poor/default passwords in your environment, why wouldn’t they? Contact us today if you’re ready to take steps to reduce the cybersecurity risk in your organization.