Could Your Password be Cracked in 60 Seconds?
Could your Password be Cracked in 60 Seconds?
If your password is 7 characters long and uses a mixture of numbers with uppercase and lowercase letters, then the answer is YES(1). This is based on analysis undertaken prior to August 2019, so the situation is probably even worse today as the processing power in the hands of cybercriminals continues to increase. Passwords have been used with computers since the earliest days of computing. The CTSS operating system introduced at MIT in 1961 was the first recorded computer to implement a password login. Likewise, tools designed to crack passwords have been evolving alongside for many decades.
Here we will look at why some password ‘best practices’ are actually detrimental to information security and suggest some methods for creating strong passwords that are easy to remember but hard to guess.
Password management: typically, a painful necessity
It is no secret; passwords are a pain for everyone. They cause frustration for employees, customers, and the support staff who must manage them. Who can remember the 11-character combination of letters, symbols, and digits that are prescriptive of strong passwords, let alone devise them in first instance? When a password gets lost or stolen, which they frequently do, it places a burden on the support desk. According to Gartner Group, 20-50% of support calls are for password resets, with an average cost to the organization of $70 per call, according to Forester Research.
Hackers have developed a wide range of tools to infiltrate your personal data. The main impediment standing between your information remaining safe, or leaking out, is the password you choose. Ironically, the best protection people have is usually the one they take least seriously.
From a password cracking perspective password complexity certainly improves password strength as can be seen in the diagram reproduced below from Hive Systems, but enforcing ‘strong’ password rules upon users that are difficult to remember can reduce the security of a system in the following ways:
- Users may need to write down or electronically store the password using an insecure method
- Users will need more frequent password resets
- Users are more likely to re-use the same password
- Similarly, stringent requirements for password strength, such as "having to mix uppercase and lowercase letters with digits" or "changing the password monthly", increase the degree to which users will try to subvert the system (2).
Asking users to remember a password consisting of a mix of uppercase and lowercase characters is like asking them to remember a sequence of bits: hard to remember, and only slightly harder to crack (only 128 times harder to crack for 7-letter passwords, less if the user only capitalizes one of the letters). Asking users to use both letters, digits and symbols will often lead to easy-to-guess substitutions such as '3' in place of 'E', '1' instead of 'l', and '@' in place of 'A'. All of which are well known to hackers. Similarly typing the password one keyboard row higher is another commonly known trick.
Easy to Remember but Hard to Guess
Users rarely choose passwords that are easy to remember but hard to guess. A study in 2004 entitled "The Memorability and Security of Passwords (3)" set out to determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenged the established wisdom.
They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "algorithm" for generating obscure passwords can easily build strength upon these examples. One way to create an easy-to-use algorithm could be to take the unrelated word example but separate each word with a choice of symbols. Three random words with three different symbols could certainly create a strong password with the user having just 6 password elements to remember.
More recent research undertaken in April 2015 by several professors at Carnegie Mellon University revealed that people's choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than the mathematical probabilities, as illustrated in the diagram included here, would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password (4).
How are passwords compromised
Passwords represent valuable corporate assets that can be targeted by cybercriminals. Passwords can be compromised on the move as they transit networks, but they are more vulnerable as sitting targets when static as they are stored in databases and backup files which can be easily found and hacked. In some cases, passwords are shared among colleagues, and are reused across multiple applications making them easy targets for malware, phishing attacks, and other credential-stealing techniques.
One of the simplest ways for hackers to gain access to your information is with a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to systematically check all possible passwords and passphrases until the correct one is found that matches your credentials. Other cracking techniques you may hear include dictionary attacks, lookup tables, reverse lookup tables, and rainbow tables. Free password cracking tools can be easily obtained through any internet search, so do not assume that it is just within the realm of sophisticated cybercriminal gangs.
When passwords are stolen, either individually, or as part of a corporate database, they are usually shared online and offered for sale on the dark web. Cybercriminals buy these lists and use automated credential-stuffing attacks that run through the username and password combinations until a match is found for the online account they are trying to break into. This could be an online shop where they attempt to purchase goods using your stored payment methods or in the worse case accessing your financial institution accounts to transfer money. Of course, once hackers have gained access to any online account, there may be much more Personal Identifiable Information (PII) readily available to them, paving the way for broader identity theft.
Education and encryption are your best weapons
So often, cybersecurity education is the most powerful weapon any organization can deploy to help keep their systems secure and sensitive information out of cybercriminal’s hands. Even the simple password management tips here could make a big difference. One other action we always promote is the encryption of sensitive data and in particular backup files which are not only your lifeline in the event of a disaster, but they are also sitting targets for data mining by criminals searching for password tables or other forms of PII. In addition, always secure your backup volumes with an immutability function such as Blocky for Veeam® to ensure threat actors cannot encrypt your vital files.
For any questions, please get in touch through our contact form, the Blocky team are always ready to help.
(1). Data sourced from HowSecureismyPassword.net online: https://www.hivesystems.io/blog/are-your-passwords-in-the-green?
(2). Managing Network Security. Fred Cohen & Associates. All.net. Retrieved on January 31, 2013 online: https://web.archive.org/web/20110126220702/http://all.net/journal/netsec/1997-09.html
(3). Yan, J.; Blackwell, A.; Anderson, R.; Grant, A. (2004). "Password Memorability and Security: Empirical Results" (PDF). IEEE Security & Privacy Magazine online: https://ieeexplore.ieee.org/document/1341406
(4). Steinberg, Joseph (April 21, 2015). "New Technology Cracks 'Strong' Passwords – What You Need To Know online: https://www.forbes.com/sites/josephsteinberg/2015/04/21/new-technology-cracks-long-complex-passwords-what-you-need-to-know/?sh=1f430ed162df
Veeam Backup Protection for Branch & Remote Offices
Cybercriminals look for multiple routes to infiltrate a network, so accordingly cybersecurity measures need to be equally as comprehensive. In the context of protecting Veeam backup files and the storage volumes that hold them, there are many recommended best practices. Unfortunately, some of these measures may not be practical for branch or remote office deployment due to resource limitations or other logistical challenges. Having multiple remote offices broadens the attack surface available to hackers, so we will look here at some common challenges and how application fingerprinting technology can offer a cost effective and easy to deploy security solution for remote office installations.
On-premises backups have become the primary target
It is now an everyday occurrence that a company falls victim to a cyber-attack only to find that their backups have been compromised along with other files essential to business operations. Backups should serve as an insurance policy to enable operations to be restored following an attack but of course cybercriminals know this and set out to locate and encrypt backups first.
There are many best practice recommendations available to secure a Veeam Backup & Replication architecture. The objective being to place as many hurdles in the way of attackers as possible. We have covered these in our previous article Quick tips for Veeam® Backup Security so will not repeat them in detail here, but instead highlight those practices which may prove difficult at remote locations or cost prohibitive to many companies.
Object storage and OS hardening
The usual practice set in place for a corporate headquarters backup process is to have an on-site Veeam backup repository which may store 14 to 30 days of backup data locally. The system administrator then has several options available to protect this backup information. One option is to send copies of the primary backup data to S3 based object storage in the cloud which can then take advantage of object-lock technology. This could be an immediate copy of the backup data or alternatively use an aging out process where, for example, backup data greater than 14 days old is copied to the object store.
Object storage is typically deployed in the cloud, but on-premises solutions are becoming more popular. While both are certainly solid security options, for many organizations the cost of these services will be prohibitive.
With the release of Veeam V11 the option of replicating backups to a hardened Linux based backup repository became available. This is a very popular option for organizations who already use Linux within their infrastructure and have the appropriate skills in-house. Unfortunately, with Linux having less than 2% worldwide coverage as a desktop operating system, many organizations are reluctant to undertake the learning curve, or add the skills required to introduce Linux into their Windows dominated architecture.
In the context of branch and remote offices the prevalence of Linux is even lower. Additional challenges may include less than optimal network connectivity for the use of cloud-based backup solutions, and a general lack of on-site technical resources.
Hardening a Windows based system is far more difficult as it is a much vaster OS than Linux and unfortunately a victim of its own popularity. The security of an operating system will depend to a large degree on the size of its installed base. For malware authors, Windows provides a massive playing field therefore concentrating on it gives them the biggest return for their efforts.
Hardening a Windows® Veeam Repository for remote offices
Veeam offer some great best practice resources for securing a backup environment including tips for Hardening a Backup Repository running on Windows however these steps will never result in a truly hardened Windows platform. If these steps are followed the environment will certainly be harder for cybercriminals to infiltrate, but Veeam backup volumes will still be vulnerable.
Remote sites typically use local storage as a staging area for backups of up to one week in age and having backups reside on local storage provides the fastest possible recovery time. While cloud-based object storage is effective, the network bandwidth limitations at remote sites may make this unpractical to meet recovery time objectives in the event of a cyberattack, or any other disaster recovery scenario.
Blocky for Veeam® offers a solution for both remote and head office Windows based backup repositories using local storage which will prevent any unauthorized system process from modifying the content of designated backup volumes or folders.
The system administrator would select which storage volumes or first level folders that need to be protected, and then instruct the Blocky for Veeam® filter driver utility to perform an application fingerprint analysis of the required Veeam Backup & Replication application processes. Once protection has been enabled then only those fingerprinted processes are able to write to the protected volumes. No Malware code could masquerade as a Veeam application process as it would not match the application fingerprint that has been created from the genuine Veeam processes.
Early detection is vital to limit the damage of a Cyberattack
Malware payloads and subsequent ransomware demands are typically launched after the hackers involved have worked undetected within the IT infrastructure for quite some time. This happens when ‘zero-day’ vulnerabilities have been exploited to gain access the network. This can come in the form of new loopholes in the OS or network hardware, or simply from the development of new Malware codes that are unknown and therefore do not exist within current antivirus definition files.
Even though deploying a hardened Linux based Veeam backup repository will be effective in stopping backup files from being compromised, the Linux repository itself will not alert of any unauthorized access attempts or other suspicious network behaviours.
Blocky for Veeam® by contrast can send alerts of any unauthorized access attempts via system log files, email, SMTP and through the Blocky for Veeam® logging panel when an administrator has the GUI open. Early detection of suspicious activity especially from ‘zero-day’ threats can go a long way to limiting the damage caused by a cyberattack.