A Password is a word, phrase, or string of characters intended to differentiate an authorized user or process (for the purpose of permitting access) from an unauthorized user, or put another way, a password is used to prove one’s identity, or authorize access to a resource. It’s strongly implied that a password is secret. A password is usually paired with a username or other mechanism to provide authentication.
Password length of at least 12 characters.
Passwords should be unique, complex, and nonsensical, comprised of a mix of nonrepeating letters (upper and lower case), numbers, and symbols that do not contain dictionary words in any language, or have any other guessable context (employee ID, dates, etc.), or sequences from a keyboard like ‘qwerty’ or ‘zxcvb’.
Frequently change passwords (a process referred to as password rotation, or password resetting) for privileged passwords. The frequency of password rotation should vary based on the password age, usage, and security importance for privileged credentials. A superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords should be frequently changed, including after each use—known as one-time-passwords, or (OTPs)—for your most sensitive accounts. On the other hand, the modern best practice for standard account and non-privileged passwords is to pick a strong password, but then leave it unchanged, unless the credential has been potentially compromised or put at risk.
Prohibit password re-use. Employees should be forbidden from using the same passwords across their personal and work accounts.
If you ever need to share your password, change it when the other person is done with using it.
Today, a person may have dozens, or even over a hundred, personal passwords to manage. In organizations, this number may be even higher, and also include embedded passwords within applications. The sheer number of passwords to manage generally means that, when left to humans, password practices are inadequately followed. Poor password hygiene, in turn, creates opportunities for malware and hacker exploits.
While it’s not humanly possible (at least for most humans) to adhere to best practices in manually creating and changing passwords, password management tools can automate this process.
Password Managers are software applications that enforce best practices for generating and securing passwords (such as by using encryption). By using a master password/key, the user can prompt the password manager to automatically pull the correct password from a database and authenticate into a system/software via form filling. Password managers can be cloud or browser-based, or could reside on the desktop.
Enterprise Password Managers / Privileged Password Managers are a special subset of password managers used to manage credentials for enterprise privileged accounts (root, admin, etc.).
Attackers and malware covet passwords, which allow them to access the desired resource, steal data and identities, and wreak havoc. The combination of poor password practices by users, inadequate password security controls, and automated password cracking hacker tools increase the risk of password theft or exposure. Here are some common credential exploit tactics:
Repeatedly testing a password, potentially generating millions of random guesses per second, with combinations of characters (numbers, letters, and symbols) until one matches. The more mathematically complex a password, the more difficult to crack.
Generating password guesses based on words in a dictionary of any language.
In PtH attacks, an attacker doesn’t need to decrypt the hash to obtain a plain text password, once captured, the hash can be passed through for access to lateral systems. A hacker could elevate privileges simply by stealing RDP credentials from a privileged user during an RDP session.
While similar to PtH, these involve copying Kerberos tickets and passing them on for lateral access across systems. A Golden Ticket attack is a variation of Pass-the-Ticket, involving theft of the krbtgt account on a domain controller, which encrypts ticket-granting tickets (TGT).
This attack method involves observing passwords (either electronic or hard copy) as they are being entered.
These attacks, such as phishing and spear phishing, involve tricking people into revealing information that can be used to gain access.
By implementing password best practices, such as via an automated tool, these attacks can be largely deflected or mitigated.