The human brain possesses a remarkable penchant for pattern completion, which manifests when we perceive familiar shapes in cloud formations or can recall entire songs from just a single lyric. Consequently, when it comes to creating passwords, users naturally gravitate toward systems and patterns that offer satisfaction and ease of remembrance. This innate inclination often leads users to craft passwords that, while personally satisfying, may inadvertently circumvent an organization’s password policies. Malicious actors are acutely aware of this human tendency and strategically exploit the errors end users make, often leveraging the limitations of password policies to their advantage.
Despite the modern array of sophisticated tools and techniques available, the core essence of password cracking still boils down to the art of guessing. Any clues that hint at the structural composition of a password are invaluable to hackers in their quest to infiltrate systems.
In the following sections, we’ll delve into how cyber adversaries capitalize on four of the most prevalent password-related errors made by users and explore strategies to fortify Active Directory against these lurking risks.
Common ‘Base’ Terms: Users frequently begin constructing a password with a foundational term. Regrettably, this base word is seldom random and often bears relevance to the individual or the employing organization. Subsequently, users may incrementally modify this base word during password resets or changes to sidestep default password history and complexity mandates within Active Directory. Commonly, users will capitalize the initial letter and append a special character at the conclusion.
Attackers recognize that they don’t need to crack the most robust passwords to gain unauthorized access to an organization; rather, they target the weakest links. Exploiting common base terms, cybercriminals execute dictionary attacks, wherein they employ a predefined list of feeble base terms and their typical modifications to guess passwords or decryption keys. These attacks prey on the human inclination for simplicity and familiarity in password creation.
Research conducted in the “2023 Specops Weak Password Report” examined 4.6 million passwords collected over several weeks and those used in live attacks against RDP ports. Astonishingly, the most frequently used base term was ‘password.’ Other common base terms included ‘admin’ and ‘welcome.’ Social media platforms become veritable treasure troves for attackers targeting specific individuals, offering easy access to information like birthdays, family names, pet names, and significant locations.
Short Password Length: Even when dealing with weak base terms, hackers may encounter a multitude of variations. To conquer this challenge, they employ brute force techniques, systematically iterating through countless potential password combinations via relentless login attempts until the correct one is discovered. Brute force attacks are especially effective against short passwords, particularly those starting with common base terms found in dictionary lists—an approach known as a hybrid attack.
The Specops research revealed that a staggering 88% of passwords used in live attacks against RDP ports comprised 12 characters or less. Many organizations restrict password lengths to even shorter than this, enforcing a mere eight-character minimum through their Active Directory configurations. Users, when given the option, tend to favor shorter passwords.
Encouraging users to create longer yet still memorable passwords is a potent defense against brute force attacks. For instance, stringing together three random yet memorable words to create a passphrase—such as ‘Postbox-Throw-Calzone’—can significantly enhance security. Introducing a few special characters further bolsters the password’s resilience against both dictionary-based and brute force attacks. Another method to motivate users to adopt longer passwords involves implementing length-based aging, allowing longer and more robust passwords to remain valid for extended periods before necessitating changes.
Password security is a dynamic landscape where human psychology and digital threats converge. Understanding and addressing the common errors that users make in password creation is pivotal in fortifying systems and data against cyberattacks. Employing multifaceted strategies, including the encouragement of stronger yet memorable passphrases and bolstering password length requirements, can substantially enhance an organization’s security posture and thwart the malevolent intentions of cyber adversaries.
Keyboard Walk Patterns:
While the vulnerabilities of passwords often bring to mind issues like common base words, short length, and lack of complexity, it’s crucial to recognize that passwords inspired by the layout of a keyboard can be equally predictable. Take, for instance, the password ‘P)o9I*u7Y^’—it might appear complex and meet many Active Directory password requirements. However, a closer examination reveals that these characters are all located right next to each other, forming an easily memorizable ‘keyboard walk’ pattern for the end user.
Recently, the Specops team conducted an analysis of over 800 million passwords to identify the most common keyboard walk patterns among compromised passwords. Surprisingly, the pattern ‘qwerty’ alone was found over a million times, underscoring the ubiquity of these keyboard walk patterns.
Even though these patterns aren’t actual words, they remain susceptible to dictionary attacks. Attackers are well-versed in exploiting the predictability of end users. They recognize that ‘lazy fingers’ often resort to shortcuts when crafting passwords, and thus, they incorporate common keyboard walk patterns into their lists of high-probability passwords used in dictionary attacks.
Even strong passwords can become compromised, especially when users reuse them across various applications and devices. For example, an organization may employ a password manager, requiring users to remember only one robust password. However, if that same password is reused for Netflix, Facebook, and numerous other platforms, it becomes vulnerable to phishing attacks and other forms of data breaches.
According to Google, a staggering 65% of people reuse passwords. This is a driving force behind cybercriminals’ efforts to pilfer credential information and peddle it on the dark web—because a pilfered password from one site may provide access elsewhere.
Meeting password requirements alone is often insufficient. Specops research reveals that a striking 83% of compromised passwords satisfy the length and complexity prerequisites of regulatory standards. It’s nearly impossible to discern whether someone has reused their potent work password on sites or applications with weak security until an incident occurs. Therefore, having a tool capable of scanning Active Directory for compromised passwords becomes pivotal.
Mitigating Risks and Preventing User Errors:
To address these challenges, organizations must adopt a two-pronged approach. First, they should implement a robust password policy that ensures users create strong passwords in the first place, thereby mitigating risks stemming from common base terms, short password lengths, and keyboard walk patterns, which are often exploited by attackers.
Subsequently, organizations need a means to efficiently audit Active Directory and promptly change any robust passwords that become compromised due to breaches, or due to password reuse elsewhere. Tools like Specops Password Policy empower organizations to craft custom dictionaries that block base words related to their specific industry and organization, as well as universally weak base terms, keyboard walk patterns, and short passwords. Additionally, such tools can thwart incremental changes to previous passwords, effectively eliminating the predictable patterns and substitutions that end users gravitate toward—and that attackers exploit.