Weak passwords are a bad thing. Here’s why…

Weak passwords and passwords generally continue to be at the forefront of public consciousness around security. For many people, they’re the only way that they interact with security measures on a regular basis and, distinctly, they’re something that end users have ultimate control over.

Unfortunately, that control isn’t always exercised with responsibility.

I.T. is rife with weak passwords, from common, easily guessed passwords to passwords re-used across multiple systems and websites. As users attempt to make their lives (and remembering their passwords) more convenient, your security is seriously compromised.

And, if you have any weak passwords, a breach doesn’t even need to begin with an attack on your network.

How password breaches work

In the majority of cases, a password hack gives an attacker access to a hashed password file. This contains a list of usernames and codes that are the result of complex mathematics being applied to the password string.

Your security lies in the fact that an attacker doesn’t know the mathematical method that was applied – but this can be overcome with a little reverse engineering.

An attacker’s strategy is to guess a single password and calculate which cryptographic hash is being used. This can even be done offline, negating the security of account lockouts after multiple incorrect guesses.

When an attacker cracks one password, the entire list of passwords is easily decrypted. Suddenly, a hashed file that doesn’t contain any clear text passwords becomes a handy source of password information.

Common and weak passwords make this process faster. Using a ready-made list of frequently used passwords and associated hash codes for common cryptography methods, an attacker could spot which method is being used in minutes.

As a result, one weak password on a known list could become the key to unlocking your entire estate.

Big name attacks affect your security

Hackers gaining access to your estate and your hashed password files is a very real prospect – just ask LinkedIn, Yahoo and Dropbox. But in our connected world, even a breach that doesn’t directly affect your business can have serious implications for your security.

According to Recode, people re-use passwords as much as 31% of the time. The same password that’s been exposed through the LinkedIn, Yahoo or Dropbox breaches could be the one that’s being used to log into your Active Directory. That’s why these attacks are often followed-up by hackers attempting to use the stolen password on a wide range of different websites and accounts.

In this sense, a password hack anywhere on the internet is a very real threat to your security. Tellingly, Netflix recently alerted users whose credentials may have been exposed by other organisations, recognising the risk associated with reused and weak passwords.

The only way to mitigate your risk is to enforce your policies with confidence, educate your users about the importance of security, and routinely check the strength of the passwords on your infrastructure.

Free tools for finding and eliminating your weak passwords

Strong passwords are the first step in any security strategy. To help, password security specialist Thycotic is offering two free tools to help you detect weak passwords.

For your end-users, the Password Strength Checker is a quick and easy way to see how long it might take a computer to crack a password. And then offers instant tips on improving it. It’s a fun, sharable tool that’s an effective way to illustrate why weak passwords are dangerous.

For your Active Directory accounts, the Thycotic Weak Password Finder scans for duplicated, non-compliant, and weak passwords, comparing your credentials to an industry-recognised list.

As a result, you can demonstrate your compliance and the strength of your passwords – or spot weak passwords before they’re exploited.

Written by