The weakest link
Imagine, just for a minute, that your web server infrastructure was a castle which you spent lots of time and resources fortifying. You built high walls, watch towers, retracting bridges, moats, solid iron bars across the windows, and so on and so forth to keep your enemies out. Now imagine that your enemy happens to have a copy of the key to the front door! I use this comical analogy to make a serious point: what good is even the most locked down web server in the world if your enemy can exploit weak passwords to bypass everything else you’ve secured?
You’ve probably heard this many times before but passwords really are, more often than not, the weakest link in the security chain. What’s even more worrying is that they are also the forgotten link; regularly an afterthought for users, web developers or web server admins.
However, every so often, weak passwords make the news and remind us of the importance of implementing a strong password policy in our web based applications. Here are some examples of leaked password lists following an attack.
- In 2009, over 10,000 Hotmail passwords were leaked online. An analysis of these passwords revealed that a staggering 42% of them contained only lowercase alpha characters (a-z) and the majority of passwords were between 6-9 characters long.
- In 2010, details of over one million Gawker media website users were leaked online. These details included usernames, e-mail addresses and passwords. Shockingly, the most popular password was “123456” with “password” in second place. Several hundred users chose to use the name of one of the Gawker media websites (e.g. “gizmodo”, “lifehack”) as their password.
- In 2013, a dump containing user data such as usernames, e-mail addresses, password hashes, and password hints for millions of Adobe customers was leaked online. Inspired by this leak, a list of the worst passwords of 2013 was published that shows passwords like “password1”, “letmein”, and “123456” are more common than we think.
When you perform a statistical analysis of all these leaked passwords together, it is shocking to discover what the most common passwords are. The reason as to why someone would choose such a weak password is open for debate – Laziness? Lack of education? Reluctance to believe you will be a target? Whatever the reason, one thing’s for sure, such revelations should allow us to learn from other people’s mistakes and make sure we do not use such weak passwords!
The truth is that with so many passwords to remember for so many different systems, it’s easy to get caught in the trap of using the same password (or a minor variation of it) multiple times. If you do this and one password becomes compromised, you have essentially given the attacker one key to many doors. As such, there needs to be a balance between choosing a password that is complex enough to be difficult to guess or crack yet simple enough for you to remember.
What are the risks?
The risks should be pretty obvious but worth pointing out nevertheless. If someone was to obtain a password they could potentially access the contents of the password-protected page or take control of the page altogether.
There are multiple ways an attacker can obtain a password (e.g. social engineering, network intrusion). Discussing these are beyond the scope of this post but, when it comes to web security and specifically web form authentication, it is important to keep in mind that the most popular form of attack is a dictionary or brute force attack. This is where the attacker attempts to login to the password-protected page over and over again using username and password combinations which they obtain from a pre-populated list of words (referred to as the dictionary).
What can you do?
There are a number of steps you can take to reduce the risks and increase web security.
First and foremost, you should build a strong password. The definition of a strong password varies, but generally it should have the following properties:
- Be at least 8-10 characters long; ideally longer (especially for administrative accounts)
- Use uppercase and lowercase characters
- Use alpha and numeric characters, including special characters (e.g. !?$£#@%)
- Should not be easily guessable like company names, pets name, etc.
- Not be a word from a common dictionary (e.g. orange, computer, television)
- Not have any part of the username in it
Additionally, you should endeavour to:
- Change the password every 60-90 days
- Not share the password with anyone
- As a web developer, use cryptographic algorithms and salt passwords for password protected areas of the site
- As a web developer, implement an account lockout method to disable the account after a number of failed attempts. This will add an extra layer of protection against brute force attacks.
Another thing you can do is to perform a periodic security audit of your website using a web vulnerability scanning tool such as Acunetix Web Vulnerability Scanner. Such tools can simulate password dictionary attacks against pages with web form authentication and highlight weak passwords, giving you a chance to fix any issues discovered and tighten security before it is too late.
Weak_Passwords Scanning Profile
Acunetix Web Vulnerability Scanner comes with a built-in scanning profile specifically for weak passwords. The scripts that will be executed against the website with each scan are:
- PerFolder > Basic_Auth_Over_HTTP.script
- PerScheme > HTML_Authentication_Audit.script
When a scan has finished, the Scan Results pane shows a tree with the different parts of the site that were scanned and the status of the vulnerability check grouped into three main sections: Web Alerts, Knowledge Base, Site Structure.
The screenshot below shows the results of the Weak_Passwords profile that was run against a test website. In this instance it has identified 21 Alerts, some of which are related to passwords.
- The “Weak Password” vulnerability is a high severity alert that notifies you of the fact that the password on that page has been guessed by Acunetix WVS and is susceptible to dictionary or brute force attacks.
- The “User credentials are sent in clear text” vulnerability is a medium severity alert that highlights the fact that the credentials are sent over the HTTP protocol (an unencrypted medium) which makes it exposed to a man-in-the-middle attack.
- The “Login page password-guessing attack” vulnerability is a low severity alert that indicates that brute force attacks can be used on the login page. The presence of this alert means that Acunetix WVS tried to login to the page at least 10 times using different credentials and wasn’t locked out.
- The “Password type input with auto-complete enabled” vulnerability is a low severity alert which points out that users with access to the local machine could obtain the password from the browser cache.
Clicking on each alert shows more information about that vulnerability and recommendations on how to mitigate it.
Another notable feature worth mentioning is the Acunetix WVS Authentication Tester tool which allows you to perform a dictionary attack against login pages that use either HTTP or form-based authentication. The way this tool works is by feeding the login page a combination of usernames and passwords which it takes from pre-populated text files until it receives a valid response back, confirming it has found a valid username and password combination.
Having a strong web server or application level password, and implementing a security policy that forces users to choose a strong password, are fundamental practices in web security. Increased scrutiny brought about by industry regulations and compliance should result in better password security in the long term. However, nothing should be left to chance and regular password audits should be performed using a tool like Acunetix Web Vulnerability Scanner to point out weaknesses before an attacker finds them first.