The average online user has over 90 accounts between personal and work accounts that require a password. That is a daunting number of unique passwords to memorize. In an effort to remember their passwords, most users will select common “root” words with easily guessable variations. These root passwords become predictable passwords when one becomes compromised.
Password Expiration Policies
The situation gets worse when password expiration policies require users to regularly select new passwords. With password expiration policies, most users will a root password and just make simple variations.
Both NIST and Microsoft have recently advised against enforcing a password expiration policy because they can be costly and ineffective. If users have to create complex passwords on a regular basis, the result is often poor password habits. Whether you choose to enforce password rotation policies in your organization or not, it is important to protect against poor password behavior.
Research has shown that almost 70% of passwords are derived from common basic words — often words of personal importance to us as individuals. Attempts to enhance password strength usually follow predictable patterns. Illicit software cracking software used by cybercriminals will take advantage of this scenario combining common words suffixes and prefixes.
In an attempt to increase success rates, an attacker will also feed in any relevant personal information that might yield a high probability match. These include company names, brand names, local sports teams, alma maters, addresses, meaningful dates, and any other available personal information. Much of this public information is online and an attacker can leverage that personal information to gain access to your account.
Most users will often use a root password that is often easily guessable even though they consider it to be secure. Then when they are required to change the password, they will simply increment it.
As simplified examples:
- Root password of companyname, might become companyname1, companyname2, companyname3
- Root password of mypassword, might become mypassword!!, mypassword!!!
When a user uses root passwords, the attacker simply leverages bots and tools to try iterations of that password. Based on typical password patterns, they often can determine the real password. Ethical hackers and hackathons can routinely crack very complex passwords in very short periods of time.
Password Screening for Risky Passwords
NIST 800-63b guidelines dictate that passwords be screened against lists of common passwords, expected passwords, and compromised passwords. Organizations seeking to implement NIST password best practices can deploy dedicated solutions that maintain active lists of known, compromised passwords. This is an exemplary way to satisfy the need to screen against compromised passwords in a process that will not create an additional burden on the IT team.
But organizations should also be screening for:
- Reuse of Passwords: Users not be allowed to reuse root passwords when changing their password – through root password detection and blocking
- Common or Expected Root Passwords: Users not be allowed to use common passwords or expected passwords– through the use of custom dictionaries with integrated root password detection.
Enzoic for Active Directory offers automated NIST compliance including live screening for compromised passwords, continuous password monitoring to ensure no subsequent compromise, root password detection to prevent the reuse of root password at password reset, and a custom dictionary with integrated root password detection.
There are many solutions available to perform password hardening for Active Directory, be certain that the tool you choose includes all of these features.