Attackers targeting login portals has become common place, so much that many organizations don’t even bother reviewing logs due to the immense number of password spraying campaigns. Adversaries continue this attack path because it’s proved successful The good news is there are many options to assist an organization in defending against this onslaught. You’ve already been told you need to utilize multifactor authentication (MFA), review abnormalities in login attempts, and maybe even to utilize geolocations to reduce the amount of login attempts in areas that your users aren’t in. However, you may not be leveraging one of the most effective defenses against weak passwords, password filters.
What is a Password Filter?
Password filters allow you to enforce better password policies, primarily against weak passwords that users commonly choose out of convenience. A great feature of this is the ability to prevent certain words and letter/number combinations.
Example Time
Let’s say your password policy is 10 character minimum, at least 1 upper letter, at least 1 lower letter, at least 1 number. That sounds like a good password policy and may even be more stringent than what you are currently using. Does “Password1!”, “$ummer2021”, “December1!” or even “<Your Company Name>21!” seem like a sufficient password to defend the assets of your organization? Of course it doesn’t, and surprisingly it adheres to your “good password policy” as well.
What’s the real issue?
The root cause of this issue is human nature and the fact that password-based authentication is not a secure method. Users have to remember multiple passwords and it’s instinctive to make things easier on yourself and choosing weak passwords does this. Even password policies that have you rotate every 90 days unintentionally encourage users to choose passwords such as seasons and months so you can understand why your users are making the choices that they do.
What are attackers really doing?
Attackers use OSINT or exploit a vulnerability to generate a user list for your organization. User enumeration issues are rampant. With a valid username, they are 50% to the finish line and only need to guess a password at this point. They choose passwords that are commonly used to authenticate and through automation attempt it for each user that they have verified exists. As you may have already picked up on, attackers are using lingo found on the company website, professions, sports teams, seasons, years, company names, traditional weak passwords like “password” or “letmein”, and popular first names.
Force your users to make the right decisions by utilizing a password filter that prevents these commonly tried passwords. There are multiple password filters out there but some of the more popular ones are nFrontSecurity Password Filter, Anixis Policy Enforcer, and Specops Password Policy.
About the Author: Heath Adams
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcmdev.tcmsecurity.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com