Insider Threat Explainers:
Compromised Passwords: Impact and 6 Ways to Prevent Compromise
What Are Compromised Passwords?
The term compromised passwords refers to any password that has been obtained by unauthorized parties. Attackers can compromise passwords through various means, such as hacking, phishing, or data breaches, and use them to gain unauthorized access to online accounts or sensitive information. According to the Verizon 2022 Data Breach Investigations Report, over 90% of breaches involved compromised credentials.
When a password is compromised, it means that someone other than the intended user has access to it. This can happen in a number of ways, such as when a user shares their password with someone else, uses an easily guessable password, or when a website’s database is breached and user passwords are stolen. Compromised passwords can lead to unauthorized access, identity theft, financial loss, data breaches, and reputational damage.
This is part of a series of articles about insider threat.
What Is the Impact of Compromised Passwords?
Compromised passwords pose significant threats, including:
- Unauthorized access: Compromised passwords can allow hackers and unauthorized individuals to gain access to user accounts, where they can steal sensitive data or perform malicious activities.
- Identity theft: Hackers can use compromised passwords to impersonate users and gain access to additional accounts or personal information, which can be used for identity theft.
- Financial loss: Compromised passwords can be used to gain access to financial accounts, allowing hackers to steal funds or make unauthorized transactions.
- Data breaches: Compromised passwords can contribute to larger data breaches, where thousands or even millions of user accounts are compromised, potentially exposing sensitive data of a company or organization.
- Reputational damage: Compromised passwords resulting in a breach can damage the reputation of individuals and organizations, causing a loss of trust from customers or partners.
How Your Passwords Become Compromised
There are several ways in which passwords can become compromised, including:
Brute force attacks are a method where an attacker tries every possible combination of characters until the correct password is discovered. This method can be automated with software that can test thousands of passwords per second. Brute force attacks are more likely to be successful when passwords are weak, short, or easily guessable.
Social engineering is a technique where an attacker tricks or manipulates the user into revealing their password. This can be done through various means, such as phishing emails, phone calls, or social media messages that appear legitimate but are actually from a hacker. Social engineering attacks rely on human vulnerability, such as fear or curiosity, to gain access to passwords.
Password theft can occur when a hacker gains access to a website or service’s database of passwords. This can happen through data breaches, where a company’s security is compromised, or through attacks on user devices. Once the hacker has access to the passwords, they can use them to gain access to user accounts.
Another way in which passwords can become compromised is through a malicious adversary who works for the organization. These individuals, who may be employees, contractors, or other insiders within an organization, abuse their access privileges to obtain sensitive information, including passwords. Malicious insiders can pose a significant threat to an organization, as they often have direct access to critical systems, data, and infrastructure.
Malicious insiders can compromise passwords via:
- Unauthorized access: gaining access to password databases, repositories, or backups, which may contain unencrypted or poorly encrypted passwords.
- Insider-assisted social engineering: working in collaboration with external attackers, providing insider knowledge or access to sensitive information to aid in the success of social engineering attacks.
- Password interception: intercepting passwords as they are entered or transmitted over a network, using keylogging, network sniffing, or other monitoring techniques.
6 Ways to Prevent Compromised Passwords in Your Organization
1. Use a Password Manager
A password manager is a software tool that stores all of your passwords securely in one place. Password managers can generate strong, unique passwords for each of your accounts and remember them for you, so you don’t have to rely on your memory or write them down. This can prevent weak passwords and reduce the risk of password reuse.
2. Strengthening Passwords With Hashing and Salting
Hashing and salting are methods used by websites and services to protect user passwords stored in their databases. These methods can make it much more difficult for attackers to obtain user passwords even if they manage to gain access to the database.
Hashing involves transforming the password into a fixed-length string of characters using a one-way mathematical algorithm, so it cannot be reversed. Salting adds a random string of characters to the password before hashing it, making it more difficult to crack with brute force attacks.
3. Use Multi-Factor Authentication
Multi-factor authentication (MFA) adds an extra layer of security to your accounts by requiring additional information beyond your password to log in. This can include:
- Something you know, such as a PIN.
- Something you have, such as a security token or your smartphone
- Something you are, such as a fingerprint.
There are several types of MFA methods, including:
- SMS-based authentication: A code is sent to your phone via SMS or text message. You need to enter this code to complete the login process.
- Authenticator apps: Authenticator apps generate a unique code that you need to enter to access your account. These apps are typically linked to your phone or other device.
- Biometric authentication: This method uses your physical characteristics, such as fingerprints or facial recognition, to verify your identity and grant access to your account.
- Hardware tokens: Hardware tokens are physical devices that generate a unique code that you need to enter to access your account.
MFA ensures that even if an attacker manages to obtain your password, they still need to provide the additional information to access your account. This makes it more difficult for attackers to gain unauthorized access to your sensitive information, personal data, or financial accounts.
4. Delete Inactive Accounts
Inactive accounts are those that have not been used in a long time or have been abandoned. These accounts can still contain sensitive information, such as your personal details, payment information, or other confidential data. If these accounts have weak or reused passwords, they can be easily compromised by hackers or cybercriminals. Deleting inactive accounts can help reduce the risk of a data breach or unauthorized access to your personal information.
5. Monitor Service Accounts
Service accounts are non-human user accounts created for applications, services, and other automated processes or data exchanges from one server to another within an organization. These accounts can have privileged access to sensitive resources and are an attractive target for attackers. To prevent compromised passwords in your organization, it is essential to monitor and secure service accounts effectively.
6. Use Behavioral Analytics for Users and Devices
To identify and prevent compromised passwords, organizations can use behavioral analytics to detect unusual patterns in user and device activities. By analyzing and learning from historical data, these systems can recognize deviations from typical behaviors and flag potential security threats. Behavioral analytics systems typically work as follows:
- Establish a behavioral baseline of all users, roles and devices in your organization. This baseline can help identify anomalies that may indicate a compromised password or other security issues.
- Detect deviations from the established baseline. These tools can identify unusual login attempts, changes in user access patterns, or device activities that may be indicative of a compromised password or unauthorized access.
- Setup alerts and notifications to inform security teams when anomalies are detected. This enables a rapid response to potential security incidents and helps mitigate the damage caused by compromised passwords.
Compromised Passwords with Exabeam
Initial password attacks and compromises from the outside include (but are not limited to) Brute Force, credential stuffing, pass-the-hash, gold and silver ticket attacks, Mimikatz activity, and more. Many of these are visible via signature-based detection, correlation rules, or other data visualization across all five Exabeam products. However, not all compromised credentials are the result of an attack – as we learned with Lapsus$ groups buying full credential sets from employees.
Exabeam helps detect compromised passwords and their actions in your network by offering industry-leading UEBA. UEBA baselines the normal behavior of users and devices with histograms to detect, prioritize, and respond to anomalies based on risk. Understanding normal allows you to detect the behaviors missed by other tools, such as lateral movement, privilege escalation, credential swapping, and more.
Exabeam Fusion, Exabeam Security Investigation, and Exabeam Security Analytics all contain UEBA to baseline normal activity for all users and entities, sorting all notable events visually and chronologically within an automated Smart Timeline.
Learn more: Exabeam UEBA