When I conduct penetration testing, or other offensive cyber security engagements for a client, one of the most typical routes of entry is a weak password. While company password policies help to alleviate this, they are usually ineffective.
When assessing an organisation as an attacker, the usual procedure is as follows:
Find a target.
- Look for emails within that organisation which are publicly available.
- Find other emails related to those emails (same person).
- Check if any of the emails you have found are in a data breach.
- Find the data breach data and extract the password
- Try to log in with the password.
These 6 steps are successful about 80% of the time against an organisation. That number is rather high, but there are some things that can be done which diminish the chances of a successful attack dramatically. The first method that has a near 100% success rate is multi-factor authentication. From an attacker’s perspective, it is really difficult to have to get past MFA authentication, as it requires tricking a user to hand over an extra piece of information. It must be noted, however, in some cases the MFA process is also inadequate.
Regular email breach checks are required, not only for company passwords but also for personal emails. Most individuals use the same password for many services, and knowing one of them means an attacker may be able to breach another account using the same password. This is because people have been known to cut corners when password policies change and they are asked to reset their passwords. They user will make small changes which hackers can predict to guess the new password. Things as simple as adding an ‘!’ to the end, or a capital letter at the start. Attackers know this and will frequently create rules with simply append, or prepend characters or minor amendments to the current password structure. This a largely automated procedure from an attackers perspective. Consider these changes:
Current password: Summer2021
New password: Summer2022!
These changes are extremely predictable..
The next best thing is enforcing the use of a password manager within the organisation. This ensures anyone in the company is setting unique and complex passwords which are resistant to these kinds of password spraying attacks.
Now, passwords are not the be-all and end-all of security. It is also important to check the security of any property or application. Penetration testing can allow you to get a full view of the security of any organisation or service. The goal is to simulate a cyber attack in a safe environment so you can comprehend the security flaws that a hacker can exploit. This often includes password checks, software vulnerabilities, and, if necessary, phishing or social engineering to gain access to sensitive data.
If you’re interested in how hackers can gain access to passwords you can view our blog on that here.
At Sencode, we offer free consultations to help you understand your security better either through penetration testing, free email breach checking or a chat.
Callum Duncan, MD Sencode
