How to create a strong password.
By: Corey Overstreet, Senior Security Consultant
One of the most common vulnerabilities we see during penetration tests and red teams are weak passwords. In fact, credentials are the primary way attackers' gain access to an organization, with?61 percent?of breaches attributed to leveraged credentials.
The Problem.
Let's face it: users creating an easy to remember password every 60-90 days can be difficult once the requirements are higher than 8 characters. That's why it's so common to find password files (i.e. passwords.docx, passwords.xlsx, etc), common password patterns such as season+year and the word password with a number or special character afterwards, and the company name with a number and/or special character. These are the kind of common mistakes that make it easier for attackers' to make its way through your systems. Most people don't even realize how risky their password behavior is. It doesn't have to be this way.
We here at Red Siege would like to give some helpful tips to proactively get your users to choose stronger password combinations that make our jobs (and attackers' jobs) more difficult.?
A few simple tricks.
The first hurdle is getting users to create passwords with more characters. Higher character requirements equals a higher likelihood of finding those password documents and users settling into predictable password patterns. The first tip we can give that not a lot of users are aware of is that a space is a special character. Creating a password made up of two or more easy to remember words with a space between and a capital letter thrown in already meets the requirements for most password policies. Throw a number in there as well and you've hit all four usual requirements with a pretty simple to remember password. Hyphens work just as well as spaces.?
Randomize what you know.
Another strategy is having a user come up with a 4-6 character random set of letters, numbers, and special characters. Once they have this sequence memorized, they can append that to any password they were going to set and make it more complex. For example, lets say they were going to set their password to Winter2022. If they append a random sequence like 4Gqt! to the end of the password, they now have a 15-character password instead of 10 and the chances of the password being guessed are very low. That same random sequence can be reused over and over again to make their passwords that much harder to guess.?
Use a Password Manager.
Finally, we have to mention password managers. Train your users on using password managers like LastPass, 1Password, and KeePass. While random passwords generated by password managers can be a pain to type in for domain accounts, replacing the password documents with a password manager makes their secondary accounts a great deal more secure. LastPass and 1Password both have web browser extensions and mobile apps. KeePass is a local password database storage solution. However, if you host the KeePass database on something like Google Drive or Dropbox, you can easily access your passwords from anywhere just like LastPass or 1Password using desktop clients and mobile apps.?
We hope you take away some easy password strengthening strategies from this blog post. We'll leave you with some wisdom from Randall Munroe at XKCD. He lays out some of the strategies we described earlier and shows why they work.??
Need Information Security Services?
Contact Red Siege Today: [email protected]
If you would like to learn more about the services we offer, please visit our website: https://redsiege.com
Red Siege is one of the most trusted information security consulting firms in the industry. We prioritize what matters most to your organization. Our team?dedicates its work to identifying your risk and preparing your organization’s security posture for future threats before it is too late. Get Offensive Now!