A Password is a word, phrase, or string of characters intended to differentiate an authorized user or process (for the purpose of permitting access) from an unauthorized user, or put another way a password is used to prove one’s identity, or authorize access to a resource. It’s strongly implied that a password is secret. A password is usually paired with a username or other mechanism to provide authentication.
Today, a person may have dozens, or even over a hundred, personal passwords to manage. In organizations, this number may be even higher, and also include embedded passwords within applications. The sheer number of passwords to manage generally means that, when left to humans, password practices are inadequately followed. Poor password hygiene, in turn, creates opportunities for malware and hacker exploits.
While it’s not humanly possible (at least for most humans) to adhere to best practices in manually creating and changing passwords, password management tools can automate this process.
Password Managers are software applications that enforce best practices for generating and securing passwords (such as by using encryption). By using a master password/key, the user can prompt the password manager to automatically pull the correct password from a database and authenticate into a system/software via form filling. Password managers can be cloud or browser-based, or could reside on the desktop.
Enterprise Password Managers / Privileged Password Managers are a special subset of password managers used to manage credentials for enterprise privileged accounts (root, admin, etc.).
Common Password Attack Techniques
Attackers and malware covet passwords, which allow them to access the desired resource, steal data and identities, and wreak havoc. The combination of poor password practices by users, inadequate password security controls, and automated password cracking hacker tools increase the risk of password theft or exposure. Here are some common credential exploit tactics:
- Brute force attacks
Repeatedly testing a password, potentially generating millions of random guesses per second, with combinations of characters (numbers, letters, and symbols) until one matches. The more mathematically complex a password, the more difficult to crack.
- Dictionary attacks
Generating password guesses based on words in a dictionary of any language.
- Pass-the-Hash (PtH) attacks
In PtH attacks, an attacker doesn’t need to decrypt the hash to obtain a plain text password, once captured, the hash can be passed through for access to lateral systems. A hacker could elevate privileges simply by stealing RDP credentials from a privileged user during an RDP session.
- Pass-the-Ticket (PtT) and Golden Ticket attacks
While similar to PtH, these involve copying Kerberos tickets and passing them on for lateral access across systems. A Golden Ticket attack is a variation of Pass-the-Ticket, involving theft of the krbtgt account on a domain controller, which encrypts ticket-granting tickets (TGT).
- Shoulder surfing
This attack method involves observing passwords (either electronic or hard copy) as they are being entered.
- Social engineering password attacks
These attacks, such as phishing and spear phishing, involve tricking people into revealing information that can be used to gain access.
By implementing password best practices, such as via an automated tool, these attacks can be largely deflected or mitigated.