Passwords (also commonly called credentials) have become one of the primary targets of cyber attackers, especially attackers with more advanced skill sets or those who are attempting to persist long-term in an organization’s environment.
TTPs (Tactics, Techniques and Procedures) is a taxonomy defining the common behaviors of cyber attackers when targeting, hacking into, and persisting within an organization’s environment. A variety of reports, data, and statistics have demonstrated a shift in how threat actor TTPs have changed from a focus on malware to a focus on passwords. Phishing used to be a means to infect a computer; now phishing and social engineering-related attacks have become the means to gain valid passwords.
The reason for this change is it is much harder for security teams to detect an intruder if that intruder is using valid credentials to pivot and traverse through an organization’s systems and data. The term is called ‘living off the land’ and implies a cyber attacker is using the same valid tools and credentials that authorized individuals use, so the cyber attacker's activities blend in and appear to be legitimate.
This is why passwords have become one of the primary targets and why stolen or compromised credentials have become one of the top risks for organizations.
4 Best Practices for Passwords We Recommend You Focus On
- Use Passphrases: Replace password complexity with password length whenever possible, and teach people the concept of passphrases. Both password complexity and password expiration are no longer best practices and in most cases cause more harm than good. Passphrases can be a sentence or a series of random words that create long passwords that are both easier to remember and type. Take, for example, the passphrase “honey-bricks-bored-concise”.
- Make Passwords Unique: Emphasize and train on the importance that every account (both work and personal) has a unique password for that account. This ensures that if one account is compromised, all other accounts are still secure.
- Use a Password Manager: If allowed, encourage the use of password managers. Managing a long, unique password for each account is difficult for people, as many people can have over 100 passwords. The simpler we make a behavior, the more likely people will exhibit it. If your organization prohibits the use of password managers, then perhaps encourage people to employ them for personal use.
- Use Multi-Factor Authentication: Whenever possible, people should leverage Multi-Factor Authentication (commonly called Two-Factor Authentication or Two-Step Verification) for their work and personal accounts. While multiple versions of MFA exist, Phishing-Resistant MFA is considered the strongest. Here is a simple explainer of the different types of MFA and which options are the strongest.
Finally, here are four fantastic OUCH! Security Awareness Newsletters you can share with your workforce on how to securely create and use passwords:
Become an expert in how to best secure your workforce, including using passwords, in the intense three-day SANS MGT433 Managing Human Risk course.