Enterprises have a password problem, and it’s one that is making the work of hackers a lot easier. From credential stuffing to brute force and password spraying attacks, modern hackers don’t have to do much hacking in order to compromise internal corporate networks. Instead, they log in using weak, stolen, or otherwise compromised credentials.
Take the recent case of Citrix as an example. The FBI informed Citrix that a nation-state actor had likely gained access to the company’s internal network, news that came only months after Citrix forced a password reset because it had suffered a credential-stuffing attack.
“While not confirmed, the FBI has advised that the hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Once they gained a foothold with limited access, they worked to circumvent additional layers of security,” Citrix wrote in a March 6th blog post.
Passwords problems abound
While a recent data privacy survey conducted by Malwarebytes found that an overwhelming majority (96 percent) of the 4,000 cross-generational respondents said online privacy is crucial, nearly a third (29 percent) admitted to reusing passwords across multiple accounts.
Survey after survey shows that passwords are the bane of enterprise security. In a recent survey conducted by Centrify, 52 percent of respondents said their organizations do not have a password vault, and one in five still aren’t using MFA for administrative privileged access.
“That’s too easy for a modern hacker,” said Torsten George, Cybersecurity Evangelist at Centrify. “Organizations can significantly harden their security posture by adopting a Zero Trust Privilege approach to secure the modern threatscape and granting least privilege access based on verifying who is requesting access, the context of the request, and the risk of the access environment.”
How hackers attack without hacking
The problem with password reuse is that in order for an attacker to gain a foothold into your network, malicious actors don’t have to use advanced tactics. “In many cases, first stage attacks are simple vectors such as password spraying and credential stuffing and could be avoided with proper password hygiene,” according to Daniel Smith, head of threat research at Radware.
When cybercriminals are conducting password spraying attacks, they typically scan an organization’s infrastructure for externally-facing applications and network services, such as webmail, SSO, and VPN gateways.
Because these interfaces typically have strict timeout features, malicious actors will opt for password spraying over brute force attacks, which allows them to avoid being timed out or trigger an alert to administrators.
“Password spraying is a technique that involves using a limited set of passwords like Unidesk1, test, C1trix32 or nsroot that are discovered during the recon phase and used in attempted logins for known usernames,” Smith said. “Once the user is compromised, the actors will then employ advanced techniques to deploy and spread malware to gain persistence in the network.”
Cybercriminals have also been targeting cloud-based accounts by leveraging Internet Message Access Protocol (IMAP) for password-spray attacks, according to Proofpoint. One tricky hitch with IMAP is that two-factor authentication inherently can’t work, so it is automatically bypassed when authenticating, said Justin Jett, director of audit and compliance for Plixer.
“Because password-spraying attacks don’t generate an alarm or lock out a user account, a hacker can continually attempt logging in until they succeed. Once they succeed, they may try to use the credentials they found for other purposes,” Jett said.
Tightening up password security
The reality is that guessing passwords is easier for hackers than it is for them to go up against technology. If we’re being honest, there is a strong chance that an attacker is already in your network, given the widespread problem of password reuse. Because passwords are used to authenticate users, any conversation about augmenting password security has to look at the bigger picture of authentication strategies.
On the one hand, it’s true that password length and complexity are critical to creating strong passwords, but making each password unique has its challenges. Password managers have proven to address the problem of remembering credentials for multiple accounts, and these tools are indeed an important piece of an overall password security strategy.
“The pervasiveness of password stuffing, brute force and other similar attacks shows that password length is no longer a deterrent,” said Fausto Oliveira, principal security architect at Acceptto.
Instead, Oliveira said enabling continuous authentication on privileged employee, client, and consumer accounts is one preemptive approach that can stop an attacker from gaining access to sensitive information—even if they breach the system with a brute force attack.
“It is not about a simple 123456, obvious P@55word password versus a complicated passphrase, but recognizing that all of your passwords are compromised. This includes those passwords you have not yet created, you just don’t know it yet.”
Passwords continue to be a problem because their creation and maintenance is largely the responsibility of the user. There’s no technology to change human behavior, which only exacerbates the issues of password reuse and overall poor password hygiene.
Organizations that want to tighten up their password security need to look seriously at more viable solutions than trusting users, which may include eliminating passwords altogether.