73% of breaches now involve stolen passwords, more than half of which (60%) are able to be cracked by hackers through simple guesswork, a new nine-month penetration testing study by Rapid7 has found.
Despite the huge amount of user training about the importance of strong unique passwords, Rapid7 penetration testers were able to crack 60% of passwords by trying known defaults, variations of the word “password”, the current season and year, and easily guessable organisation-specific passwords. This outcome is the result of 180 penetration testing engagements the company has done for a variety of organisations.
The single biggest method, though, for obtaining user credentials is by offline password hacking with a hash file. This method involves taking a list of password hashes and working out what passwords generate those hashes.
Challenge-response authentication traffic and shadow password storage techniques were also reported to include eavesdropping on password authentication or seeking a user’s password in an encrypted format alongside what it can access. Rapid7’s penetration testers noted, though, that a large proportion of cracked passwords obtained via this method would’ve been guessable given more time.
These are the results from Rapid7’s annual Under the Hoodie report, now into its third year, which draws on the insights from 180 penetration tests over a nine-month period between mid-September 2018 and the end of May 2019.
The report uncovers which vulnerabilities are most common within organisations, exploring internal and external network assessments, physical intrusions, in-person and electronic social-engineering techniques, and non-production code reviews.
Other findings from the report include how a weak transport layer is the most common security vulnerability within organisations (affecting one in five), highlighting old or absent encryption standards employed in externally facing resources.
Tod Beardsley, research director, Rapid7 said, “It’s common today to ensure that passwords include an uppercase letter, lowercase letter, a number, and special character, and force users to change their password every 90 days, but such password restrictions tend to reduce password complexity — not enhance it. Humans will game this system by using schemes like “Summer2019!” followed by “Autumn2019!” over and over again.”
“Organisations should seriously consider assigning random passwords through a password management application, which would be worlds better than merely enforcing password complexity and rotation rules.”