TL;DR
Why Should I Care? Passwords form a large part in how Threat Actors gain access into an organisation’s environment.
What Should I Consider? To strengthen weak and easily cracked passwords, consider using a combination of a strong password policy and organization-wide password resets over password cracking.
Introduction
I’ve been battling with where I stand on this topic. Passwords play a significant role in how Threat Actors gain initial access to an organisation’s environment. Initial access often involves an account password with a variation “password” or straight as the account username. The scariest part of all is the user is often well aware of this. Can password cracking be an effective practice to rule this business out?
Background
To provide some context password cracking involves obtaining the password hashes of a system such as Active Directory. Then cracking the hashes to reveal the plaintext account passwords. This process is often completed using large lists of common passwords to compute against the hashes.
Benefits of Password Cracking
Revealing passwords within an environment can be a driver of change. It can encourage stronger password practices and provide an accurate assessment of the current state and quality of passwords. The following benefits are likely to come from password cracking:
- Remediate Poor Password Practices: At the core of password cracking is identifying weak passwords this allows for poor credentials to be rotated, stronger practices implemented and users educated.
- Driving and Monitoring Change: Password statistics and trends can be used to drive change within an organisation highlighting factually the current quality of passwords within the environment.
- Providing a Complete Picture during a DFIR engagement: Password cracking is often required as part of a DFIR engagement to confirm initial access assumptions and provide a complete picture of the attack.
Risks of Password Cracking
Password cracking of course can be risky. After all, you are exposing plaintext passwords. If the password hashes or plaintext passwords are found in the wrong hands, it can lead to the very thing this is trying to prevent, a breach. The following covers possible risks associated with password cracking:
- Risk of Exposure: Password cracking at the core of this practice is exposing an account’s password. If not handled properly and found in the wrong hands, it can be detrimental.
- User Privacy: Along with exposing passwords is the risk that cracking passwords may impact a user’s privacy. Cracking passwords could be seen as a breach of a user’s trust in the organisation.
Alternative
A strong alternative to password cracking would be the following:
- Implement a strong password policy encouraging passphrases and ensuring password complexity.
- Implement password filtering and banned password lists.
- Complete an organisation-wide password reset.
The above is quite an undertaking, especially the final step. Yet, the final step is actually the most important part. Weak passwords sit in the most surprising places including domain admin accounts and service accounts. The accounts that would cause the most pain to change, most likely contain a weak password. There are always strategies to make this undertaking more manageable. For instance, staging user account password resets through password expiry can help reduce the immediate load.
Final Thoughts
The above does raise the question: is there actually a need to expose passwords to improve security? As with most things, if you could eliminate the risks, that would be the path forward. You are completing a technique that an attacker would leverage within your environment. The difference is you are using that process to improve security and reduce the likelihood of an successful attack occurring.
While password cracking can be a great tool to improve security and drive change, it is not without risks. Ensuring passwords follow best practices is always wise, especially when you are unsure of the state of passwords within the environment. After a lot of thought, I would consider alternative strategies prior to performing password cracking to reduce the likelihood of weak passwords in the environment. Considering alternative strategies allows for a balance of risk and reward.