What is a Password? Definition, Attacks, & Management

A Password is a word, phrase, or string of characters intended to differentiate an authorized user or process, for the purpose of permitting access (such as via logging in) from an unauthorized user. Defined another way, a password is used to prove one’s identity, or authorize access to a resource. It’s strongly implied that a password is secret. A password usually works alongside a username or other mechanism to provide authentication.

1. Use a password length of at least 12 characters.

2. Passwords should be unique, complex, and nonsensical. They should contain a mix of nonrepeating letters (upper and lower case), numbers, and symbols. Additionally, they should not contain dictionary words in any language, any guessable context (employee ID, dates, etc.), or sequences from a keyboard like ‘qwerty’ or ‘zxcvb’.

3. Frequently change passwords (a process referred to as password rotation, or password resetting) for privileged passwords. The frequency of privileged password rotation should vary based on the password age, usage, and security importance for privileged credentials. A superuser account (e.g., root, domain admin, etc.) and other highly privileged passwords should be frequently changed. This includes changing them after each use—known as one-time-passwords (OTPs)—for your most sensitive accounts. However, for standard accounts and non-privileged passwords, it is best practice to pick a strong password and leave it unchanged. The exception is if the credential has been potentially compromised or put at risk.

4. Prohibit password re-use. Employees should not use the same passwords across their personal and work accounts.

5. If you ever need to share your password, change it when the other person has finished using it.

Today, a person may have dozens, or even over a hundred, personal passwords to manage. In organizations, this number may be even higher, and also include embedded passwords within applications. The sheer number of passwords to manage generally means that, when left to humans, password practices are inadequately followed. Poor password hygiene, in turn, creates opportunities for malware and hacker exploits.

It's not realistic for most people to adhere to best practices in manually creating and changing passwords. Password management tools can help by automating this process.

Password Managers are software applications that enforce best practices for generating and securing passwords (such as by using encryption). By using a master password/key, the user can prompt the password manager to automatically pull the correct password from a database and authenticate into a system/software via credential injection to fill the form. Password managers can be cloud or browser-based, or reside on the desktop.

Enterprise Password Managers / Privileged Password Managers are a special subset of password managers used to manage credentials for enterprise privileged accounts (root, admin, etc.).

Attackers and malware covet passwords, which allow them to access the desired resource, steal data and identities, and wreak havoc. The combination of poor password practices by users, inadequate password security controls, and automated password cracking hacker tools increase the risk of password theft or exposure. Here are some common credential exploit tactics:

• Brute force attacks: Repeatedly testing a password, potentially generating millions of random guesses per second, with combinations of characters (numbers, letters, and symbols) until one matches. The more mathematically complex a password, the more difficult to crack.

• Dictionary attacks: Generating password guesses based on words in a dictionary of any language.

• Pass-the-Hash (PtH) attacks: In PtH attacks, an attacker doesn’t need to decrypt the hash to obtain a plain text password. Once captured, the hash can be passed through for access to lateral systems. A hacker could elevate privileges simply by stealing RDP credentials from a privileged user during an RDP session.

• Pass-the-Ticket (PtT) and Golden Ticket attacks: While similar to PtH, these involve copying Kerberos tickets and passing them on for lateral access across systems. A Golden Ticket attack is a variation of pass-the-ticket, involving theft of the krbtgt account on a domain controller, which encrypts ticket-granting tickets (TGT).

• Shoulder surfing: This attack method involves observing someone's actions to pick up on passwords (either electronic or hard copy).

• Social engineering password attacks: Attackers perform social engineering attacks, such as phishing and spear phishing, by tricking people into revealing information that they can use to gain access.

By implementing password management best practices, such as via an automated tool, organizations can largely deflect or mitigate these attacks.

Uncover password-related risks, hidden privilege escalation paths, and other identity-based weaknesses that threaten to undermine your enterprise security, with a free Identity Security Risk Assessment.