How organisations are still falling short on password security

How to strengthen your first line of defence against cyber attacks

With so much vulnerability to cyber attacks present, password security is ever paramount for organisations. Despite a passwordless future, passwords remain in the first line of defence against cyber attacks and are often being exploited, with no tools in place to manage them. The issue of password exploitation was compounded by a move to remote working on distributed devices at the start of the COVID-19 pandemic, leading to an uptick in demand for password management solutions to find and solve vulnerabilities.

Password complacency

Research conducted by the password management and authentication vendor found that the majority (93%) of passwords used in brute force attacks include eight or more characters, while 41% of those used in real attacks are made of 12 characters or longer.

Darren James, password and authentication expert from cyber security firm Specops explained:

“Whether you’re a knight from the 16th Century, or a computer user in today’s world, everyone knows what a password is, and when considering what makes a strong password, we need to look at the history around this.

“When the computerisation of most workplaces came online with the introduction of Active Directory, the Internet wasn’t really a thing, like it is now with everyone having an online presence.”

But what hasn’t changed in 22 years is password complexity — Microsoft‘s criteria of a so-called ‘complex password’ is eight characters in length, with at least three different character types; and no inclusion of the username. This lack of change demonstrates the need to go beyond requirements set out by stakeholders, and address what James describes as “a general apathy around passwords among human beings”.

He continued: “Many users will simply choose a word with a capital letter, and then add a number on the end, and that would meet the criteria set out by Microsoft.

“If you put a special character in, us Brits would often press ‘Shift’ and 1. But every bad actor out there now knows this pattern that we’ve been brainwashed into following.”

Breaking the pattern

When it comes to evading password attacks, there are other measures that organisations can take towards maintaining security. Guidance from the National Cyber Security Centre (NCSC), for example, recommends changing email passwords to three random words that mean something specific to the user. These can have special characters added between them to maintain security while lowering complexity.

James added: “There is a common train of thought among attackers that they can download a dictionary and rattle through that to find a user’s password, which they can do, but they would need to know the passphrase and where the intersecting special characters are.

“The key to breaking the pattern, in my view, is having over 15 characters in a passphrase. This is important because if you have a shorter password, it’s stored in a weak way in a compromised password hashing function called an LM hash. Passphrases with a character length of 15 and above, meanwhile, aren’t stored by this algorithm, and are only stored in an NTHash.”

Auditing and enforcement

Specops Software is one company looking to help customers improve the security of their passwords. The company offers a free Password Auditor that scans Active Directory for vulnerabilities, as well as a paid Password Policy tool for enforcing stronger passwords. Going beyond the read-only reporting capabilities brought by the freeware Password Auditor, Specops’s Password Policy helps organisations protect against compromised passwords, enforce compliance requirements and facilitates client feedback during password change.

How it works

The free Password Auditor from Specops scans and analyses the passwords of all accounts throughout the organisation’s Active Directory, and provides a report detailing where improvement to security is needed. This includes any compromised, duplicate or expired passwords among users.

To help replace weak passwords, Specops Password Policy can enforce better password policies that block weak/breached words, block incremental passwords, reward users for using passphrases and provide helpful feedback to users during the password change process, relieving strain from IT administration staff.

Speaking on the value the products deliver for companies, James said: “You can install Specops Password Auditor on any workstation that’s joined to your Active Directory.

“From the outset, you can download a database from us, which is updated every three months, based on the biggest leaks that have happened in that three month period, plus the most common hits against our master database. The database downloaded by the user consists of over 800 million of the most commonly breached and leaked password hashes, while our master database, updated daily, contains 2.6 billion hashes.

“You can export reports showing the results into a script or document to send to members of your organisation. From here, Password Policy helps to solve the problem by eliminating breaches and weak passwords and ensuring that passwords are compliant.”

As research has found over 80% of hacking related breaches are due to lost or stolen credentials, investing intools such as Specops’s Password Auditor and Password Policy, is key to proving compliance with password related regulations and essential for tackling the issue of weak, reused or compromised credentials in your organisation today and in the future.

Want to know whether your Active Directory is harbouring password vulnerabilities? Find out with a free read-only scan using Specops Password Auditor.

This article was written as part of a paid content campaign with Specops Software.

Avatar photo

Aaron Hurst

Aaron Hurst is Information Age's senior reporter, providing news and features around the hottest trends across the tech industry.