Cracking the password management conundrum

The use of passwords and phrases goes back centuries, if not millennia; even Shakespeare’s Hamlet features the use of one to identify those loyal to the King of Denmark.  The first computer password dates back to the mid-60s as an attempt to deliver some compartmentalization for users that were all sharing mainframe access.  One of its creators has since admitted it was flawed even then, before anyone had even had thought of, let alone heard of, the phrase cyber-attack.

High profile data breaches perpetrated by poor password management continue to do untold damage to organisations, including some of the world’s biggest brands.  Always on the look-out for a way in, cybercriminals repeatedly try to guess, steal or crack passwords so that they can obtain access to systems as a legitimate user. As a result, in the current business climate, securing user access to company confidential information by enforcing unique, multifaceted passwords plays a crucial role in stopping cyber-crime.

The importance of effective password management can never be underestimated. Passwords are everywhere within an organisation – from end user access to internal systems and general systems administration.  Passwords are a prime target for hackers and if obtained they have the potential to cause a lot of reputational and network damage by providing access to all kinds of lucrative information, from customer bank accounts, addresses and social security details to company intellectual property, and more.

Preying on the weak 

As a penetration tester for customers that include large retailers and financial institutions, I often come across passwords that are the same as usernames or easily guessable – for example ‘Password1’.  Weak passwords are the first target for attackers once they have collected a cache of  password hashes or usernames, using a variety of methods including Address Resolution Protocol (ARP) spoofing, Link-Local Multicast Name Resolution (LLMNR) and Netbios Name Service (NBT-NS) Poisoning or SQL Injection.

For example a favourite technique of hackers is to try to collect password hashes by answering resolution requests with incorrect information – known as LLMNR and NBT-NS poisoning.  With this method credentials can be captured and weak passwords easily cracked, opening up access to a Windows domain.

Another popular attack is ARP spoofing which takes seconds to setup, even in an unknown network environment. An attacker plugs into the network and collects all IP traffic between the target hosts and their default gateway address. Poorly protected authentications allow decryption of domain credentials and internal web app HTTP logins.

Securing the network

So what can organisations do to improve their password management?  First and foremost it is vital to encrypt all authentication information when traversing the internal network, to ensure that the hackers can’t easily target and break passwords as they move around the network. Furthermore, it’s critical to avoid storing configuration files, passwords and other technical information in unencrypted user or group files.  Failing to do only makes a hacker’s task easier and leaves core firewalls and other devices, which would otherwise be considered well protected, susceptible to compromise.

The recent Sony hacking case provides a great example in that most of the sensitive passwords were hidden in a file directory called “passwords”. Password managers can help effectively manage passwords across the network and ensure they are fully encrypted at rest. When you are using a password manager, ensure that the ‘key’ to the encrypted vault is strong and the encrypt ‘vault’ itself is sufficient protected.

Another mistake we commonly see is organisations setting passwords in Group Policy Preferences on a Windows Domain where the password decryption key is publicly available (pre Microsoft Patch MS14-025). This makes it possible for an attacker to recover and decrypt all organisations passwords set by this method, as potentially any authenticated user. Organisations should also check that JBoss launchers, such Tomcat Manager or MainDeployer, that are used to upload web application code are not using a default password as this could present an attacker with local access to the operating system and potentially cripple a network.

It is also key for organisations to check that users are not duplicating passwords across the network.  Passwords shared between admin and non-admin accounts, or between local admin and domain admin accounts, or local admin passwords on desktops and laptops that are the same as server or domain admin passwords all provide an attacker with a way to escalate their privileges on the network. Best practice is to ensure that unique local passwords are set across all systems. Microsoft recently released a tool to called ‘Local Administrator Password Solution (LAPS)’ to help with this process. (

While we may eventually be able to replace passwords with something more bulletproof, for now we are stuck with them, and their potential to be exploited.  Effective password management practices and multi-factor authentication are important tools for keeping access to corporate applications secure and mitigating the risks associated with passwords themselves.  Ultimately, if an attacker is able to steal administrator-level passwords, the result can be as devastating as handing over the combination to the vault in a bank.