Complex Does Not Equal Strong

Another year, and again, another annual report (this one from SplashData) lists the easy and bad passwords have remained relatively unchanged.

As a domain network administrator, you may not be terribly concerned. You think you have a robust password policy as well as an account lockout policy to prevent brute force attacks. Your users cannot use any of those simple passwords on that list. No simple guessing a password is going to let an attacker into your network. Think again.

Most corporate domain password policies require complex passwords with a minimum password length. Many implement a minimum password length of 7 through 10, and with most password complexity rules, passwords should contain characters from 3 of 4 categories: uppercase, lowercase, numerals and special characters. Often times, the password is also restricted from containing the account name as well.

The above policies are great until users discover that they can have an easy to remember password that still fulfills the requirements such as “Buckeyes1”.

Many domains also have password age policies: a maximum age policy ranging from 42 days (Windows default domain policy setting) to 180. Along with the password history and minimum password age policies, users are forced to use different passwords so that if a password is ever compromised, the anticipation is that the password has expired and a newer complex password is in place.

The frequent password changes as dictated by the age policies may be confusing to a user – the user forgets what their current password is. The above policies are great until users discover that they can have an easy to remember password such as “Winter2018” that they set according to the current season. If forced to change every 3 months, to remember their password, they only need to look out the window to check what season it is, and know the current year.

Many domains also have account lockout policies: typically 5 incorrect password entries lock out the account for a period of 15 minutes. This prevents an attacker from brute forcing thousands of passwords on an account within seconds.

The above account lockout policies work great. A lazy attacker may give up with the restrictions, but a persistent attacker could try 4 guesses every 14 minutes without arousing any suspicion by locking out an account.

It fills me with anxiety to write here that in our company’s last few engagements, we have been able to “guess” at several domain credentials. Even with password complexity and minimum password length, and account lockout policies in place. We discovered domain user accounts that satisfied the password policies and yet were easy to guess, such as Password1 or Fall2018. In a couple instances, they included higher privileged accounts.

Users will find a way to work around the password policies that have been put in place, circumventing the controls that the network administrators have invested so much thought and effort into.

One network administrator thought it unnecessary to set the minimum password age, only setting values for the maximum password age and password history. Once users discovered that, when they were forced to change their password (upon reaching the maximum password age), they changed their password. And again. And again. And again in quick succession. Until the number of times specified in the password history. Then they go back to their original password. In essence they have bypassed the password age and history policies, and can keep using ONE password as long as they wish.

Password policies work. But they can be worked around. Weak, easy to guess passwords can still be complex. It is highly recommended that a password audit is performed on your domain accounts every year. All accounts should be assessed against sets of common passwords or specific password format permutations or algorithms. You may be surprised by the results.

Of course, what’s better than a password is a passphrase; but that’s another blog.

If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.

Resources:
https://www.teamsid.com/splashdatas-top-100-worst-passwords-of-2018/
https://resources.infosecinstitute.com/password-security-complexity-vs-length/#gref