By Roger Grimes at KnowBe4
Despite the world’s best efforts to get everyone off passwords and onto something else (e.g., MFA, passwordless authentication, biometrics, zero trust, etc.) for decades, passwords have pervasively persisted. Today, nearly everyone has multiple forms of MFA for different applications and websites AND many,
The average person has somewhere between three to seven unique passwords that they share among over
- The average person has 19 passwords – but 1 in 3 don’t make them strong enough (Naked Security)
- The average employee manages nearly 200 passwords (Dark Reading)
- Password security habits survey results (Digital Guardian)
- Average number of passwords per person (Answers.com)
- The average business user has 191 passwords (Security Magazine)
And, unfortunately, those passwords often get stolen or guessed. This is why I recommend the following password policy guide:
Most computer security experts agree with these policy recommendations, but more than a few readers might be shaking their heads, especially at the recommendations to use
Read on.
Major Categories of Password Attacks
In general, password attacks fall into four different major categories:
- Password theft
- Password guessing
- Password hash theft and cracking
- Unauthorized password resetting or bypass
Each will be expanded on below.
Password Theft
Theft of passwords is by far the most prolific type of password attack, usually by social engineering of some type, but it can also be due to malware and hacking tools. The most common theft method is a traditional phishing email where the sender is pretending to be some organization that the potential victim has a relationship with, which contains a message and link prompting the user to type in their real login name and password. Here is a common example pretending to be from Zoom telling me my Zoom service has
The sender’s email address and the URL link I would have to click are clearly not from Zoom.com, as it would be if the email
Today, most malware looks for and attempts to steal as many passwords as it can. If the victim gets tricked into running malicious content, the malware will look in many areas to find and steal the user’s
- Device memory
- Browser password caches and
storage areas - On storage disks
- As typed in by the user
- Extracting them from running programs
and processes
If hackers can get access to the victim’s device or network, they will often run password-stealing utilities to extract or eavesdrop on passwords. Here is an example of a hacker tool known as Responder being used to capture a password hash transmitted by a victim viewing or clicking a malicious phishing email with an embedded secret link, which unbeknownst to the user, starts a
The hacker gets the password hash from the surreptitious login session, which he then converts to a plaintext password
Another way hackers get user passwords is by compromising websites and services that a user authenticates to. The average user logs into over
And sadly, sometimes all you have to do is ask for someone’s password. Although not nearly as common as other techniques, hackers can also call or ask a victim in person what their password is. If you think that no one would reveal their password to a complete stranger, you would be incorrect. Watch this clip from
In general, many tens of millions of passwords are stolen, one way or another, from end users each year. Stolen passwords often end up in public or private file or database repositories, where they can be offered for sale or even queried for free
Password Guessing
Passwords can also be guessed. All the attacker needs is an accessible login portal the victim can log into with a login name and password, and the ability to guess multiple times over a long period of time. Then, the attacker manually guesses or uses an automated password guessing tool. The shorter and simpler the password, the easier it is to guess. If the involved login portal does not have “rate throttling” or “account lockout”, an attacker can guess a dozen to thousands of times
Since most user’s passwords are less than
One Internet-based company, Akamai, said they saw
Password Hash Theft and Cracking
Another popular password attack is password hash cracking. In most modern-day operating systems, any typed in password is transformed by a cryptographic hash algorithm into a representative hash of the password
A user’s password hash is stored in password authentication databases that the operating system uses to authenticate the user. If an attacker can retrieve a user’s password hash, however they do this, they can guess at
Password hash cracking is done externally to the user’s login system. The hacker does not need to be on the victim’s network, and rate throttling and account lockout cannot be implemented to slow down the guessing. Attackers with the appropriate password hash cracking hardware
It is well-known that within the password hacking community, that “normal” human created passwords up to
Unauthorized Password Resetting or Bypass
Another common password attack is for a hacker to utilize a method which resets the user’s password or simply bypasses it altogether. Most popular large authentication systems allow users to self-reset their own passwords. These are needed because one of the most popular support calls is a user forgetting or needing to reset their password. Password calls to tech support are so common that if they were all handled by a human, it would require significantly more resources and money than the involved organization has to spend. So, many/most organizations create or enable a
How the hacker is able to do this varies by authentication system and self-help reset portal, but just know that millions of passwords are reset each year by attackers. The hacker then takes over the account
In summary, passwords are compromised by the many tens of millions each year, using password theft, guessing, hash cracking and unauthorized
Password Attack Defenses
The password attack defenses can be summarized by the following, in order
- Use phishing-resistant MFA whenever possible
- Mitigate social engineering to prevent password theft
- Use a different, non-guessible password for each site
and service - Use a password manager wherever you are able to allow perfectly random passwords to be created and used, without the user having to create or
re-type them - Where a password manager cannot be allowed, users should create long and/or complex passwords or passphrases, different for each site
and service - All passwords should be changed, at least annually
There are dozens of other good password attack mitigations which should be implemented by users
If you can use phishing-resistant multifactor authentication (MFA) instead of a password, try to do that. A hacker cannot steal, guess or bypass your password if you do not have one. It is key to use
- Don’t Use Easily Phishable MFA and That’s Most MFA!
- My List of Good, Strong MFA
- Why Is the Majority of Our MFA So Phishable?
Unfortunately, most sites and services do not yet support MFA and users will continue to have to use login names and passwords across more sites and services than MFA can help with. The single best tactic a user can do to prevent password hacking
There is no other single defense that does more to prevent password theft than to mitigate social engineering
The second-best thing a user can do is to make sure they use different passwords for every site and service. This prevents one compromised password from more easily allowing additional compromises to other sites and services used by
A perfectly random 11-12-character password, like those created and used by password manager programs, is considered unguessable and uncrackable by any known password guessing attack
If you are not familiar with password manager programs or are unsure of which password manager program to use, Wired Magazine has a great article on
In closing, password attacks are very common and one of the highest cybersecurity risks to any user and organization. Most password attacks happen because a user’s password
