When Strict Password Policies Backfire

Passwords that are changed more frequently are more secure, right?

Not necessarily.

I was working with an organization that takes security seriously. Defense in depth and least privilege permeate their environment. Users do not have administrator privileges and are not allowed to remotely login to systems. Network segmentation keeps a compromised workstation from reaching the administrator interfaces on servers. Only the network traffic that is needed is allowed from zone to zone.

These are all good security practices and one-by-one raise the bar for the attacker.

Then there’s the password policy:

  • Minimum of 8 characters
  • Complexity rules enforced
  • Passwords must be changed every 30 days
  • 30 minute account lockout after 5 invalid login attempts

On the surface, this looks like a strong password policy. This organization recently made the change from changing passwords annually to every 30 days.

As an employee, a complex 8-character password is difficult enough to remember, but making me change it every 30-90 days means I will be more likely to select an easy to remember password.

As a Penetration Tester, I see a 90-day to 30-day password rotation policy as an opening that I may be able to exploit. Easy to remember passwords are often easy to guess.

For this client, I decided to perform a password spray attack against their user list. I had obtained the user list through two other exploits, one with a printer address book, and another through weaknesses in the Active Directory Domain Controller configuration.

For those who are not familiar with password spraying, it is a technique where a few commonly used passwords are attempted across many accounts. This differs from a brute force attack where many passwords are tried for a single account.

With a 30-day password rotation policy, I was pretty sure someone would have June2019! or July2019! as their password. And I was right.

On my first two password spray attempts (without triggering an account lockout), I now had access to two user accounts.

In case you’re wondering what this looks like from the Pen Tester’s perspective, here’s a screenshot (with identifying info greyed out):

Console output showing a password spray attack

Each line is an attempted login to an Active Directory Domain Controller with the June2019! password on a different account. Near the bottom you see a “Success” line.

Now I’ve escalated privilege from simple internal network access to valid user account access.

You may be wondering, “So what am I supposed to do to ensure my passwords aren’t vulnerable to attacks like these?”

In early 2018 NIST updated their password guidance in 800-63B Digital Identity Guidelines specifically to address this weakness. Their updated guidance includes the following:

  1. Allow passwords of at least 64 characters to support the use of passphrases
  2. Encourage users to make passwords as long as they want (aiding memorization). For example, “My favorite meal is pizza and beer” is a strong password and easy to remember.
  3. Do not impose complexity rules on passwords. Research has shown that users respond in very predictable ways to complexity requirements (e.g. Password1! instead of password)
  4. Do not require passwords be changed arbitrarily unless there is evidence of compromise of the password.
  5. New passwords should be validated against a list of commonly used, expected, compromised passwords (e.g. dictionary words, repetitive or sequential characters like ‘aaaaaaaa’ or ‘abcd1234’), and context-specific words such as a derivative of the company name and username. If the new password is rejected due to one of these rules, the system should provide the reason for rejection and require the user to select a different password.

Items 1-4 can be achieved with a simple password policy change. Item #5 typically requires an add-on software component to provide this level of validation.

When this NIST guidance came out, many were surprised by it. But the risk introduced with a strict password policy that does not follow this guidance is easily illustrated with a quality Penetration Test.

A Penetration Test serves as useful after-the-fact password strength validation process using a real-world attack scenario.

At Go Security Pro we provide robust, audit ready Penetration Tests. We provide a free no-obligation consultation and would love to speak with you about your specific business needs.

To Your Security,
Geoff Wilson
CEO, Go Security Pro