While performing external penetration testing, one of the primary ways to breach the perimeter and obtain internal network access is through password spraying login portals such as O365, VPNs, and employee-only sites. Password spraying works by trying one password against multiple users and relies heavily on password guessing from the attacker. Many of our clients are surprised to learn that their network security is only one easily guessable password away from being compromised by a malicious attacker. Let’s look at some various techniques that hackers use to guess your organization’s passwords.
1. Time of Year
One of the most popular password guessing campaigns that we experience is trying various season, month, and year combinations (March2022!, Spring2022). You often see these password combinations primarily due to password policies that rotate more frequently, such as every 60 or 90 days. As a result, users must remember multiple passwords, and they often take the path of least resistance by choosing easily remembered passwords. Each time a password change takes place, they simply replace the old month or season with the current, and they can always quickly determine their password.
2. Generic Passwords
With the pace of threat actors targeting organizations, many security assessment providers turn to package pricing to provide a more comprehensive engagement to their clients. Packaged pricing can be of great value to clients, but it can make it challenging to fully understand what is involved in your project. This can take many forms, such as signing a multi-year agreement to get cheaper unit pricing or automatically including re-testing services. If you’re looking for additional services, check to see if there are package pricing, multi-year discounts, or get ad-hoc component pricing. Some security vendors will charge for components such as re-testing even if they may not need it.
3. Company / Industry Related
In circumstances where we are able to obtain uncrackable NTLM hashes through relay attacks or NTDS, there are multiple tiers of security assessment vendors that can compare to the retail industry. For example, a famous and fashionable designer may charge a premium for their products even if the quality is similar to lesser-known brands. On the other hand, highly popular or prominent vendors often charge more to cover their additional overhead costs and create a feeling of exclusivity for their clients. Additionally, when a security vendor is very busy, they will increase their pricing as they need to include more resources or have the luxury of abundant clients. You can quickly notice this when you have high-end outliers on your incoming quotes.
4. Previous Password Breaches
Often, a sales representative handles the pricing and sales process, which can introduce price adjustments based on multiple factors. For example, there could be a scoping or level of effort misunderstanding as the sales representative isn’t the one completing the work. In addition, many organizations will make price adjustments based on your industry, non-profit status, revenue, and how large your organization is. For instance, a security firm may charge more to a large financial institution versus a small non-profit hospital.
5. Personalized Passwords
Often, a sales representative handles the pricing and sales process, which can introduce price adjustments Lastly, an attacker can personalize passwords specific to a demographic or you exclusively. For instance, many users will utilize passwords that contain the name of their children. If you understand the average age of employees at an organization, an attacker can research popular names when you likely had children. Additionally, with little research, it’s easy to determine birthdates, pet names, sports teams, popular vacation spots, hobbies, favorite food, and street addresses; these are all commonly used in passwords.
As you can see, guessing passwords rely heavily on the user’s inability to choose a secure password, and with a large enough user population, it’s easy to guess the passwords of at least a few employees. Therefore, it’s vital to train your employees on the importance of secure password use. In addition, we always recommend utilizing multi-factor authentication where possible, implementing password filter technology, understanding the data available online about your organization, regularly performing password audits, and implementing a comprehensive password policy.