Can we fix the weaknesses in password-based authentication?

In password-based authentication, end-users confirm their identity using login credentials, commonly a unique username, and a secret password. These credentials allow the system to verify that the user is who they say they are, and protect it from unauthorized access.

Yet, look at any recent cybersecurity or data breach report, and you’ll find that these credentials have the exact opposite effect.

There are billions of stolen credentials circulating the dark web and the underground marketplace is thriving on granting access to these compromised accounts. For organizations, it is just as accurate to assume that employee credentials can be leveraged to access sensitive data, as opposed to protecting it.

This applies to all password-based systems, even when additional safeguards like multifactor authentication are in place. Bad actors are countering additional authentication layers with MFA prompt bombing, session hijacking, and phishing attacks.

So, what options do we have to strengthen credentials and protect personal and business data, at least until we can transition to passwordless authentication?

Before they were breached, they were weak

Let’s assume that every single password we have ever used is known to bad actors. The solution would be to change them all, right? While that’s a great start, it doesn’t actually stop them from falling into the wrong hands again.

The problem, and perhaps the root of the inherent weaknesses in password-based authentication, is the predictability of human-behavior.

Many users default to weak, easy-to-remember passwords, and tend to reuse those same passwords across most of their accounts. Today’s password attacks are designed with this predictability in mind.

Brute-force attacks

A brute-force attack is one of the most common methods for guessing a user’s username and password. In its most basic form, the attacker will trial-and-error all possible username and password combinations, through countless automated login attempts, until the correct one is found.

To make the attack more effective, additional tactics can be used to reduce the quantity of guesses. For example, using a pre-defined list of high-probability passwords, or using information about password creation habits, like character composition patterns.

While most password policies will encourage or even force users to create high-entropy passwords, which in theory are harder to crack, end-users will always circumvent these measures in favor of convenience.

As long as end-users continue to use passwords like “pizza123”, which was allegedly used in the Fast Company breach, these attacks will continue to work.

Tips for securing password-based authentication

There are a number of measures we can enforce to minimize the weaknesses associated with end-user credentials.

The first measure would be countering brute-force username and password attempts by limiting unsuccessful login attempts, and ensuring that the login mechanism, including any error messages, do not confirm the validity of username submissions.

For internet facing web applications, these authentication measures should be continuously tested via a pen-testing as a service provider.

Next, we should use password complexity requirements to force users to select stronger passwords. These complexity settings should not be limited to length, and character requirements.

A good password policy will also prevent common character patterns, and leetspeak, while encouraging passphrases, which are both longer and easier to remember.

Finally, even with these measures in place, we can’t stop users from reusing these passwords across other accounts, including their personal accounts. The prevalence of password reuse increases the risk of compromise.

Any organization who takes an assume breach stance will need to proactively check user passwords against a continuously updated list of breached passwords.

If a user’s password is found on the breached password list, they should be prompted to change it immediately. The same breached password list can also be used to block users from selecting compromised passwords in the first place.

Securing Active Directory passwords and the keys to the kingdom

For most windows-based networks, Active Directory is the chosen identity and access management solution. Securing Active Directory is always top-of-mind, as it holds the proverbial keys to the kingdom. Unfortunately, Active Directory is not immune to the password-based authentication challenges we have outlined above.

To further strengthen password security, a third-party password policy tool, like Specops Password Policy, can enforce additional complexity requirements, and disallow common passwords creation patterns that can leave it vulnerable to attacks.

This includes keyboard walk patterns (qwerty), leetspeak (P@$$w0rd), base words (password, admin, welcome), and custom dictionary words to block specific words that are relevant to a user or business (company name, product name, location, etc).

Specops Password Policy with Breached Password Protection also blocks the use of over 4 billion unique compromised passwords and offers continuous compromised password scanning.

To detect the use of compromised passwords within Active Directory, Specops Software also offers a feel tool, Specops Password Auditor. This read-only reporting tool scans your Active Directory environment and helps identify accounts using over 950 million known breached passwords, along with other password-related vulnerabilities.

The inherent weaknesses of password-based authentication are here to stay. Even when additional security measures, like MFA, are in place, we still need to optimize our password policies to counter poor password practices.

If you’re not quite ready to go passwordless, but need to secure existing passwords, contact Specops Software to help.

Sponsored and written by Specops Software.