Almost every week, an ever-growing list of data breaches occur around the world. In a lot of cases, attackers ultimately gain access to sensitive information such as a hashed password database. This type of information can be useful for the bad guys when targeting specific organisations and/or people.
With the unfortunate trend of password-reuse, if an attacker can obtain credentials from a third-party website that includes company-registered email addresses, it’s likely these credentials will provide an easy foothold into the targeted organisation. When valid credentials are used, this can aid attackers in hiding in plain sight and slipping through existing security controls which makes it difficult to detect and respond.
In addition, selling of such information on the dark web can provide substantial monetary value to the bad guys. An alarming observation of recent attacks is how credentials are stored. Many of the recent breaches (small and large) are using old, outdated and insecure methods for today’s standards such as MD5, unsalted SHA variations and even plain-text passwords. These methods can be trivial for an attacker to retrieve the plain-text passwords through brute-force password cracking.
The ISM and NIST provide guidance and recommendations for storing passwords. As a summary:
- ISM: As per control 1252, agencies must store credentials in a hashed format using a strong hashing algorithm that is uniquely salted. For example, a hashing algorithm from at least the SHA2 family.
- NIST: Passwords must be hashed (SHA1-3) and salted with at least 32-bits of data.
It’s recommended to ensure best-practices and hardening guides are followed to protect such sensitive information. In addition, layering security controls such as implementing MFA provides an extra level of protection. The goal here is to ensure that if a breach occurs, brute-force type attacks would prove impractical.
Author: David Roccasalva.
Call T(AU): 1800 996 001, T(NZ): +64 9 222 4725, T(SG): +65 6631 8375, T(MY): +603 2788 3709 to book with Privasec Red Consultant, David Roccasalva.