Some thoughts on passwords and multi-factor authentication.
I am going to preface this post, by saying that this is article is general advice (based on my opinion) on these topics, what works, and what I’ve seen.It’s up to each firm to decide what is right for them.
I’ve part-taken in many penetration tests and security assessments in my career. While most of these have been for law firms, I’ve also tested banking, financial services, public companies, non-profit, to name a few. And in all honesty there’s improvements that can be made across the board.
A particular topic of concern is access control; after all, it’s access control that prevents the world from seeing your confidential information. What I am going to focus on in this article is the authentication component of access control. Authentication is the verification of your identity, and typically occurs through supplying a username and password, or other known data, which in turn validates who you are. Of course there are other ways of authentication (i.e. certificates), but for the purposes of this article, I want to focus on how desktop users generally authenticate to a system (through desktop, laptop, or remote access).
One thing I run into time and time again when conducting penetration tests are easy passwords. Don’t get me wrong, nearly all firms I have worked with have “Enable Password Complexity” as a requirement on their domain group policies settings, but let’s face it, lawyers are smart, so it’s not going to take long before they work out an easy way to deal with this “complexity” requirement.
Let’s take a look at the complexity requirements within a Microsoft Windows environment.
In addition to not containing the username and entire display name; passwords must contain three out of the five categories:
- Uppercase characters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase characters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
- Nonalphanumeric characters: ~!@#$%^&*_-+=`|\(){}[]:;”‘<>,.?/
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
Based on this requirement one upper, one lower, and one digit constitutes a “complex” password (e.g. Password1). Unfortunately as silly as my example sounds, that’s a fairly common password. Other common passwords are seasons (e.g. spring2017!) or names of sporting teams (e.g. Seahawks!) Note that all of these passwords meet complexity requirements, but are very easy to work out. They even meet the most common minimum length requirement of 8 characters.
The passwords are the keys to the castle, and just because users who have these passwords may not necessarily have administrative rights, doesn’t mean there’s no harm. Once an attacker gains access to your systems, they can then try and find administrative credentials using a variety of techniques and tools. Once this happens, it’s not hard to move laterally around your network, after all, who has all their local admin passwords the same? Microsoft have released a tool called LAPS (Local Administrator Password Solution), which helps you manage unique local administrator passwords on your network.
Mitigating the risk
Now, I’m not convinced that any solution is the silver bullet, but there are certainly ways that these risks can be reduced. I’ll start with the two most common solutions out there:
Education
Teach your attorneys to not use easy passwords and conduct periodic testing. I don’t mean necessarily getting a penetration tester in every month; there are tools such as L0phtcrack – I mention this tool, because I’ve used it extensively before, but there are others out there (John the Ripper, Medusa, Ophcrack, LCP, etc). Consider using passphrases. Even though passwords may contain dictionary words, they are far longer and harder to crack. For example: Today!atesomecoconutS is fairly complex and pretty easy to remember. I also always remember the correcthorsebatterystaple example, although I would definitely not set your password to that! But the principle is there.
Multi-factor Authentication
Multi-factor authentication (MFA), sometimes referred to as two-factor authentication (2FA); although MFA means that it could be 2, 3, 4 or more factors; is gaining a lot of momentum. Traditional password systems are 1 factor – something you know (your username and password), adding a second factor, such as something you have (a token, a smart phone, a usb key, etc.) adds an additional layer of complexity. What this means is that an attacker would need to not only compromise the username and password (fairly easy), but get a hold of the asset used as the second factor too (a lot harder). These second factors used to historically be token based, with random number sequences that regenerate every minute; they were also quite expensive. Modern day products are either free, subscription based, or in general have a lower cost entry point, making them attractive. They all now integrate with mobile/smart phones, meaning users don’t have to lug around something else. Of course you can go beyond something you have to something you are (biometric based – thumbprint, retina scan, voice rec, etc.).
Final Thoughts
When we choose a lock for our front door, we don’t generally choose the simplest easiest to break lock. One where a firm thud, basically knocks the one pin it has and the door unlocks. That wouldn’t keep us very safe. Instead we would opt for the more heavy duty lock, perhaps with 3 or 4 pins in the barrel that will help thwart an intruders attempts to gain entry to our home. Additionally, we’d probably install a deadlock too – just to be sure.
So why is computer security any different? In this analogy we don’t even think twice about having to open two locks, we simply know that it’s safer and more secure. That’s not to say that a 4 pin lock is pick proof, it’s not; trust me, I tried at a security conference in New York last year in the lock picking class – and I did manage to pick a 4 pin lock, but it was horribly frustrating.
The keys to the castle, so to speak, need to be protected. Think about what your firm’s crown jewels are – intellectual property, trade secrets, contracts, financial information, etc. Strong passwords and multi factor isn’t hard, or that expensive. Sure, it can be tough to get everyone on board, especially when change in behavior is involved – now I don’t mean to preach FUD (fear, uncertainty, and doubt), but I want every firm to make sure they protect their crown jewels.
First published at https://www.legalciso.com/some-thoughts-on-passwords-and-multi-factor-authentication/