Inside the password arms race

Abstract visualisation of padlock icon

Since researchers first devised the notion of a username and password combination in the 1960s, the security world has been in constant battle with the exponential growth of the hacking landscape. These two ideas have been in a permanent struggle – akin to an ever-escalating arms race – in which each side endeavors to outmuscle the other.

Strong passwords are fundamental keystones of protection for every organization, although they work best when complemented with additional layers on top, such as multi-factor authentication (MFA). Relying too much on any individual layer, however, won’t do, as only hardening each of these layers respectively will stand organizations in good stead against the threats they face. Hackers, after all, have devised ingenious techniques to breach any layer; from brute-force password cracking to ‘pass-the-cookie’ attacks.

This ever escalating arms race is why hardening the password layer, using tools such as Enzoic Active Directory (AD), is a crucial step in safeguarding critical business assets. Such solutions offer simple methods to prevent the re-use of weak and stolen credentials - the top cause of hacking related breaches.

The password arms race

To illustrate just how touch-and-go the cyber security arms race is, we need only look at the first use of passwords in the 1960s, where the CTSS computing research project was also the victim of the first password hack.

Cyber security has changed an awful lot since then, as has the advice around best practice and how best to construct strong passwords. Passwords, after all, are only a viable layer when they can’t be easily guessed or otherwise hacked. Advice around constructing suitable passwords has evolved in the last few years, with the National Institute of Standards and Technology (NIST) recently offering guidelines that argue against several practices that were previously recommended.

No longer requiring different characters or scheduling regular resets, for example, are changes against what many considered best practice for years. Research shows it’s ineffective and likely to make passwords less secure because users are more likely to make easy to guess iterations (e.g. P@ssword1, P@ssword2, etc.) and reuse weak passwords across multiple accounts. NIST recommends that organizations prevent this by screening passwords against those found in past data breaches. NIST, finally, recommends limiting the number of failed password attempts, as well as salting (adding a random string of characters to a password) and hashing (converting the user-devised string to a unique string of characters) passwords to prevent them from being cracked.

Hackers have nevertheless devised an arsenal of password-cracking techniques that these new NIST recommendations can help control. Also among the most widely used is brute-force attacks, which describe several methods that involve guessing passwords to access a system. This method relies on the fact that many people recycle passwords between accounts, and that so many also use extremely common and insecure strings without much thought.

Other methods are harder to prevent. Social engineering, for example, is a highly targeted and effective means by which cyber criminals gain access to employee credentials, often through digital or real-life manipulation. The use of phishing, in which fake landing pages for login portals or even fake password reset forms are sent to unsuspecting victims, is also highly prevalent.

Multi-factor protection

To help counter these methods, the industry devised a second layer of security known as 2FA, which can be any one of several additional factors including a physical key fob, a code sent through a text message, or a unique code generated through an app. While 2FA has been around for decades, it isn’t until recently its usage has become more prominent, becoming part of a sophisticated multi-layered approach to complement an existing, hardened password layer.

As in keeping with the history of information security, however, cyber criminals have even devised increasingly ingenious ways of bypassing MFA. In September 2020, for example, hackers exploited critical vulnerabilities in MFA protocols based on the WS-Trust security standard to infiltrate several cloud-based services including Microsoft 365.

The following year, a similar incident saw brute-force login attempts and a 'pass-the-cookie' attack against cloud services. In such an attack, a hacker can use browser cookies to defeat MFA by hijacking an authenticated session using stolen cookies to access web apps or online services with MFA enabled. More recently, in January 2022, confirmed hackers stole $34 million in cryptocurrency after exploiting its 2FA security layer. The details of the compromise weren’t clear, although it forced to migrate to an entirely new 2FA infrastructure, suggesting the previous architecture was vulnerable.

Hardening your layers

To safeguard your partner organization to the highest possible degree, it’s vital to invest in a multi-layered strategy. Hardening the password layer is an essential step in building your defense strategy, and there are several ways to go about doing so.

The first key step is to create strong passwords based on modern recommendations by the likes of NIST and others. They advise implementing policies that allow all characters to be used, eliminating arbitrary complexity rules (i.e. special characters), not requiring password resets, increasing the character allowance, and routinely screening passwords against blacklists of all common, easy-to-guess and previously compromised passwords.Further to this, requiring mandatory MFA is a crucial step on top of a hardened password layer, given hackers have been able to find ways to breach each layer in isolation.

Scanning the network for password files, too, allows MSPs to identify where all accessible files containing key credentials might be kept, so these documents can be locked away from potential intruders.

Using a password auditing tool, such as Enzoic for Active Directory Lite, is a great way to evaluate the organization and determine the scope of its problem with unsafe passwords. The free tool scans your partner organization’s Active Directory environment in order to identify common and weak passwords, breached and exposed passwords, and those that have been reused.

This tool isn’t to be confused with Enzoic for Active Directory, however, which expands on mere detection and offers a continuous solution to keep unsafe passwords away from your partner organization’s information systems. Enzoic enforces a policy that prevents unsafe passwords from being created and detects and automates remediation when good passwords become compromised.

Capable of being installed in 15 minutes or less, the solution also offers a completeness that competitors lack and aims to reduce the complexity of hardening the password layer. One-click NIST password compliance screening as well as capabilities to set password policies and produce summary reports for admins, combined with a continuously updating database, sets Enzoic for Active Directory apart. Organizations from manufacturing to financial service, and even public sector administrations such as the City of Keizer, Oregon have used Enzoic’s solutions to sharpen their password policies and make their systems more robust.

Although security has moved on since the 1960s, cyber criminals have always been engaged in systematically breaking down the defensive barriers organizations erect to safeguard their assets. In today’s age, one layer isn’t enough. Only a sophisticated approach which combines MFA with a hardened password layer can keep the cyber intruders out.

Learn more about how Enzoic can help harden your password layer as part of a layered authentication strategy

Daniel Todd

Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.

A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.

He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.