A handful of characters is all that stands between your data and a long line of cyber criminals anxious to infiltrate your systems, disrupt your business, and steal your precious phone credentials.
Passwords are your sentries. And as technology advances, the attacks your sentries face are getting more and more sophisticated. Understanding how these attacks work will help you adjust your password policy to make sure your sentries are adequately armed to defend your data.
These attacks don’t sound sophisticated, but in a way they are. Imagine a relentless robot that goes through every possible combination of characters within a character limit and tries them in your password hole. As attackers gain more and more processing power, attacks grow faster, stronger, more effective. Even still, more complex passwords can take a while to unlock. Longer passwords are stronger passwords. At 1,000 guesses per second, it would take 715,483,583 years to go through every permutation of a password that is 12 characters long made from a pool of 41 unique characters (41^12 character set).
These attacks hold lists of common passwords and other words and phrases up against a target until a match is found. As storage and computing capacity gets cheaper, attackers can use larger lists of possible passwords.
This method is probably the scarier of the two. Lists of often used passwords are widely available on the Internet. Research shows 40% of passwords on multi-user computer systems are easily guessed using computer programs. And, because of the predictable nature of human nature, even more passwords can be ‘guessed’ if the attacker possesses information about a targeted user.
If Brute-force and dictionary attacks are your ten-year-old neighbor playing around with encryption, rainbow tables are her seven-foot tall twin brother who’s skipped every grade.
Rainbow tables are effective because they attack the way passwords are typically stored. In order to authenticate passwords, your system needs to save them in a database, either hashed or in plaintext. Plain text is just that, a one to one representation of passwords stored for comparison against entries. For the love of Alexander Graham Bell, never ever store your passwords in plaintext. Cryptographic hash function takes plain text and converts it to a fixed-size bit string, e.g. 128 bit, for secure storage. The benefit being that it is very easy to assign a hash value to any message, the system never actually sees your password, and it is infeasible to find two distinct messages with the same hash representation. Plus, hashing is typically a one-way function. Meaning reversing the hash is many times more difficult than creating it. Because passwords are hashed on entry, if a thief enters stolen hash values in a password field, the hash will be rehashed and won’t match the initial hash value.
Rainbow tables are pre-populated with hashes and corresponding reversed plaintext password values. Tables vary by password length and character set. The longer the passwords and larger the character set, the more computing power is needed to run the table.
Rainbow tables can be rendered ineffective by one-way hashes using salts. Salts are values added to passwords during the hashing process. Adding salts means identical passwords will receive a different hash value (assuming unique salts). All of a sudden, it’s not enough to have tables of hashes. Salt tables are needed too. A 12-bit salt would require an additional 4096 tables, and 48 or 128-bit salts exceed the limits of feasible computation given current technology. (Read more on wikipedia)
Not all attackers lurk in the tubes of the internets launching tables at your network from server based catapults. Some will call your organization and try to manipulate your employees into giving them confidential information that can be used to gain access to your systems. There are many different ways social engineering is done, and a single attack is often only a small piece of a larger scale operation, which is how they typically succeed – by seeming insignificant.
The best defense:
The obvious way to protect your system against brute-force and dictionary attacks is to block IP addresses that have failed to enter a correct password more than a set number of times (like what happens when you forget your iTunes password). The problem that arises from relying exclusively on IP blocking is if an attacker gets their hands on your encrypted list of passwords. If they do, they can try as many times as they want offline without fear of being locked out.
Password best practices are designed to thwart attacks by making the time and energy investment required to unlock passwords unaffordably high. For example, the energy required to power the computations needed to break a 128-bit encryption is approximately 1/100 of the world’s energy production.
The simplest protection against all of these threats is to create passwords with more characters and a broad character range (that are then stored as a 128-bit hash).
Splashdata recently published the worst passwords of 2013. Share it within your organization as these are the keys at the top of the list for brute force and dictionary attacks.
The strength of passwords is measured by length, complexity, and unpredictability. High entropy helps keep your sentries strong. But in terms of specifics, here’s a good list of guidelines for creating secure passwords:
- Minimum length of 12 to 14 characters
- Avoid passwords based on repetition (11111), dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information.
- Include numbers and symbols in passwords to extend the character set
- Make passwords case sensitive and require a mix of upper and lower case letters (this automatically doubles your character set even before adding numbers and symbols)
- Avoid using something a lot of people know you love and/or hate
Security is like a chain, it’s only as strong as its weakest link. Because humans have a tendency to create passwords that violate most of the rules above (they’re easier to remember), it’s recommended organizations generate passwords randomly to maximize strength and security (just don’t use an online generator…). Of course, this can create the problem of forgetting passwords, which usually leads to people keeping a written list of passwords at their desk, or worse, online unsecured.
Enter password manager applications. Services like LastPass and 1Password keep passwords safe and accommodate complex passwords without risking exposure through a lost list. There’s no clear winner in this field. But do your research to find the most secure option for your usage habits. There are reports, for example, that risks arise when using LastPass on your phone.
When it comes to social engineering, protection can get tricky. Make sure staff are aware of the threat and that policies exist to keep confidential information (or any information, really) from being shared outside the organization.
Launch an attack:
The best way to measure your level exposure on the password security front is to attack your system yourself. Once you’ve updated your password rules to include more complexity, hit yourself with a brute-force or dictionary attack, find the holes, and plug them up. Your Sysadmin will have a blast doing it, and it’s better than waiting for some helpful stranger to find your vulnerabilities for you. If you’re not set up to attack yourself, there are services that will do it for you (Most of them reformed attackers familiar with the tricks of the trade).
It’s about keeping your phone lines yours:
The threat is real. There are countless reasons thieves would want access to your networks, many of them damaging, some of them very expensive. Toll fraud is big business these days, which is why the passwords on your PBX extensions and switching servers are so important – they stand between your organization and a half a million dollar phone bill.
Locking up your passwords with hashing and salts is the first step to keeping your sensitive information out of the hands of attackers. And your best protection is as simple as an enforced policy that puts your passwords out of reach of the most threatening, and financially damaging attacks. But security doesn’t stop there. When it comes to locking down your phone system, you still need to put the right fraud protections in place.