Low-Hanging Fruit Series: Password Security

At VDA Labs we work a variety of companies both large and small. During our engagements see many of the same reoccurring issues that allow us access to systems. To help combat these threats VDA Labs is starting a blog series we are calling “Low-Hanging Fruit”. Throughout this series VDA Labs will be talking about the most common issues we see along with how each issue can be combated. Starting this series will be the issues we see with password security and password policies.

Passwords: The First Line of Defense

Typically after completing our first rounds of open source intelligence (OSINT) gathering VDA Labs starts quickly password spraying accounts based on the usernames we have gathered. During this phase we typically spray common passwords like {Season}{Year}, {CompanyName}{Year}, or {LocalSportsTeam}{Year}. Here are some examples.

Fall2019

VDALabs2019

Lions2019

VDA also frequently find passwords shared between accounts unrelated to the company we are working with. Many of these passwords can be checked with data from the haveibeenpwned.com/passwords. For example Jill from HR may have shared a password that she is currently using or similar to what she is using on LinkedIn. During May of 2016 LinkedIn leaked 164 million email addresses and passwords. Jill’s account was part of this breach and perhaps she uses a variation of that for her current password. VDA (simulated attackers) knowing her previous password is now able to test variations until we are able to find the correct new password and take over her account (more data). This is the crux of many Business Email Compromise (BEC) scenarios or even the start of malware attacks via internal phishing.

Password Filters: Protecting Our Users From Themselves

Instead of taking a reactive approach where an organization may respond to bad passwords after a breach, VDA recommends that organizations take a proactive approach to password security. An easy way of accomplishing this is through the use of password filters for an organizations Active Directory environment. Password filters supplement standard Active Directory password policies allowing administrator to block specific passwords, or passwords containing certain content (such as the company name). Their exist paid products to implement password filters, but one tool that VDA has discovered is a free tool created by a Microsoft employee named PassFiltEx. This tool allows an organization to implement a password security policy for low cost, and thus clears up one of the larger techniques hackers first try towards unauthorized access.

Password Lists: Feeding The Machine

Now that we have software setup to block bad passwords, we need to define what a bad password looks like. Although many lists available across the web, one tool VDA uses is SecLists password lists by Daniel Miessler. This GitHub contains a regularly updated list of passwords in various formats from known data breaches. These handy word lists make it easy to import and add to an organizations existing policy to ensure that known bad passwords get prevented from being used by users.

Wrapping Up

Using the techniques described above, if implemented correctly, your team will have helped stop one of the major (yet simple) attacks we see against organizations. No longer will users be able to set previously compromised or weak guessable passwords. If you need help implementing this or other more advanced blue team engineering measures, VDA is here to help: contact us.

Stay tuned for the rest of our series on low-hanging fruit, for more pressing ways that your organization can help create a secure environment. Our next blog in this series will be about Multi-Factor authentication and some common issues we in its implementation.