How Hackers Exploit Weak Password Vulnerabilities

The “password” is one of those seemingly foolproof ways to protect your online valuables. Like a secret word between you and a trusted friend. It’s meant to be something to keep your business private, and keep nosy friends, co-workers, bosses, and significant others from prying into your business. As it turns it out, they’re the least of your problems (relatively speaking). Our expert penetration testers have proven as such.

Many of us haven taken the password system for granted and have used it incorrectly, and it’s not so much our fault, but more a lack of education. How are we, regular individuals, to know about hackers? As one of our team members put it:

“Passwords used to be easy. Online providers didn’t ask for much. ‘Pick a password between 6-12 characters,’ they asked. Easy enough. Personally I used dictionary words such as prunes.” When newfangled apps came along, they demanded I include a number in my password, so my go-to password then became “prunes1.” Then as new technologies and more hackings happen, and my bank started demanding that I incorporate at least one capital letter in my password, in addition to one of these odd characters: !@#$%, so I upgraded my password to “Prunes1$” and so on. What a headache! With that said, I used the same password for my email, bank account, school account, Paypal, Amazon, eBay, everywhere, so it still wasn’t too bad. But then I started working for a cybersecurity company, and oh the horror when the reality of it hits you. Someone out there knows everything about me, and I don’t know how my information is being utilized.”

The goal of this blog post is to help you learn how hackers exploit weak passwords, the consequences, and gain best practice recommendations to improve the password management in your personal life and your organization.

Note: This blog post is but a shadow of a great webcast recently held by our Head of Security Research and top Ethical Hacker, Shawn Evans. The webcast includes a sample kill chain on how a hacker can attack via a compromised password. To watch the “How Hackers Exploit Weak Passwords” webcast, click here.

So to begin with, why even bother? What are the consequences of having having weak passwords? From an organization’s point of view, weak passwords can:

• Compromise of IT assets and security controls
• Sensitive data exfiltration – Financial data, HR information, medical records, intellectual property
• Compromise of entire Windows domain
• Loss of confidentiality and integrity

These are significant consequences that could potentially bring your organization its knees, and that is not an exaggeration. A good majority of small to medium businesses close down within two years after a data breach. By extension, your personal account and immediate family could suffer from these consequences as well if the attacker pursues your PII (Personally Identifiable Information).

So, what makes a password hackable? Here are the top six hacker go-to’s when trying to hack to your password:

• Same as your login info (admin:admin)
• Keyboard patterns (asdfgjhkl)
• Common passwords: Season+Year, Month+Year, “Password1”
• Dictionary words
• Default passwords (guest:guest, or the one that came with your device)
• Password reuse

If you look closely, this is human nature at work. People want convenience. Hackers rely on this knowledge when hacking. When trying to guess passwords, they’re looking that one person who uses “Password1” in their account, then escalate privileges from there.

So with that in mind, what makes a password secure?

• A large keyspace – Mixed case, digits, and special chars
• Sufficient length and entropy – 10+ chars, nearly random
• The use of nonsense words, misspelled words, and/or phrases
• Two factor authentication
• One password per authentication context
• Do not use the same password

It might seem to excessive, but this is really the only way to protect your data. Hackers have a variety of ways to try and access your account. Two primary they do it is either by guessing or cracking your password. What’s the difference?

Password Guessing

• Launched against services such as SMB, SSH, HTTP, FTP, etc.
• Attempts are limited by account lockouts (in most cases)
• Requires a list of valid usernames

Password Cracking

• Requires access to a password hash (MD5, NTLM, etc.)
• Only limitations are time and computing power
• Uses rules to algorithmically permutate passwords
• Dictionary or Brute forced

For some of you who are reading this, this may seem too technical or advanced. Essentially, motivated hackers have a variety of tools and methods to either guess or crack your password. So with the in mind we have some recommendations for you on how you can help improve your password management personally and professionally:

• Do not use default passwords
• Password creation controls:
• Create a unique password without PII
• No dictionary words
• Periodic changes, without password reuse
• Do your own password auditing (i.e. hack your own DC)
• Use of two-factor authentication
• Employee Training

More technical recommendations include :

• There is no way to eliminate weak passwords, especially on large networks…bummer huh…
• Improve monitoring and detection capabilities
• Assume a breach is inevitable, focus on monitoring and detection
• Every user on a domain shouldn’t have a failed login within the same hour of each other

To find out more about NopSec’s penetration testing services and vulnerability management products, feel free to fill out this form and we’ll reach out within one business day.