While there are exceptions, when passwords are stored by a computer system or service, they are not stored in a readable format. Passwords are passed through a hashing process. The employed hashing algorithms are special in that they are relatively easy to execute in one direction, but extremely difficult to reverse. This allows a system to store a password in a non-readable fashion, to protect its security. When a user enters a password it is run back through the hashing algorithm and the result is compared to the stored hash. If they match, the user is granted access. The use of passwords does not prove that the user themselves requested the access, only that someone has used that user's credentials.
When a malicious actor compromises a system with a large number of users, they will often target the user information, containing usernames, email addresses, and hashed passwords, amongst other information. Those passwords will be cracked, potentially in a matter of days, depending on the specific hashing algorithm used. The process is similar to comparing the password at login to the stored hash, but performed using automation, at very high rates of speed. Eventually, all passwords would be guessed and become known. At the time of this article, for Windows network passwords, the entirety of possible eight character passwords can be attempted in less than a day with a $500 video card. Consider that multiple video cards can be used, and multiple systems, and we very quickly see that once compromised by an attacker, any passwords stored within a system must be considered compromised immediately. Unfortunately, the average time to detect breaches is still well over six months, permitting attackers a long window of opportunity to execute attacks using stolen credentials before there is reason to believe them compromised. In part, this can be addressed by enforcing risk-appropriate policies, which we will address at the close of this article.
Humans, in general, are very predictable in how they go about choosing passwords. Repeated studies of password generation patterns find that there are significant commonalities in how individuals choose their passwords. This is well known in the security community, as well as amongst malicious actors. Commonly used password patterns involve dictionary words, simple letter replacements (like substituting the "3" for an "E" or a zero for the letter "O"), and appending or prepending numbers or symbols. Due to the known patterns, those attempting to crack passwords will first try things that they know will yield results the fastest. This primarily consists of dictionary words with common alterations and patterns, followed by lists of passwords used in other contexts.
The point of requiring complex passwords is misunderstood by many users as an effort to prevent the password from being guessed by a malicious actor. The real point of requiring complex passwords is to increase the amount of time, on average, between the hashed password falling into outside hands, and the passwords being recovered and usable for further attacks. You will notice that attackers will specifically try lists of already discovered passwords. This is because over three-quarters of users of computer systems will use the same password on more than one system or service. If the username or email address is also the same across the sites, then it becomes a simple exercise to compromise those accounts unless there are other countermeasures in place.
- Usernames and passwords have become increasingly problematic and are not the sole means for users to authenticate themselves on a computer system. Better methods include:
- Biometric information such as fingerprints, hand geometry, retina patterns, and voiceprints;
- Issued items—such as cryptographic certificates stored on either the devices or a secured smartcard technology, issued by a trusted authority;
- Single-use codes that can be generated by dedicated devices such as a key fob, generated by a software application from a mobile device, or sent to a mobile device via text (or Short Message Service), or a voice call.
Each of the above methods improve the accuracy of the authentication process by imposing additional hurdles for an attacker to surmount before accessing a system using stolen credentials. When more than a single factor is utilized, the process is known as multifactor authentication.
Multifactor authentication schemes, while generally more secure than single factor systems, increase the time required to log in to systems. As such, there can be issues with gaining user acceptance of the technologies. This can be countered by requiring the use of multifactor authenticated based on the risk at hand, such as when more suspicious login activities will generate a higher level of scrutiny. As an example, remote login attempts from a previously used system, and from previously used IP addresses would be prompted for just a username and password, while attempts from unknown machines, new IP addresses, or simultaneous remote and local logins would require the user to enter an additional code that is presented via a known mobile phone using a text message.
An understanding of the potential threats is important in selecting the appropriate policies and the technologies to combat them. All firms must guard against illicit access to protect privileged information, but some types of practice will draw greater attention from malicious actors, which will include both organized criminal enterprises and state-sponsored actors, in addition to more ideological attackers that are driving by a perception of corruption or political frustration. Due care must be exercised.
To that end, consider the following to enhance your firm's security posture:
- Implement a policy requiring that passwords not be shared across multiple uses, and if possible, implement a software solution that can check new passwords against public disclosures.
- Increase minimum length requirements for passwords to a minimum of 12 characters, and consider decreasing the maximum age of passwords.
- If you utilize third-party services, inquire about enabling multifactor authentication for the services in use. When selecting new service providers, require that they offer a multifactor authentication solution for access.
- Conduct reviews of access entitlements and permissions within your organization, and reduce individual user's access to the minimum levels consistent with job duties.
- Require that users with administrative access to systems utilize a separate account for privileged activities, and further secure it using multifactor authentication technologies
- Provide training to your users on password handling, including the use of password management software to generate unique passwords for every site/service they access
Law firms in particular are targets for attack given the client sensitive information their systems may hold, especially those representing financial institutions. More and more, legal service providers are being subject to information security or "cyber" audits by their clients and other regulators. They want and need assurances that firms are adequately protecting their data. While creating and enforcing a strong password policy is only one item in a long list of policies needed to survive a cyber-audit, it is one of the easiest to employ and can have an immediate and strong improvement in a firms security posture.
Back to Contents