The Password Management “Queen’s Gambit” — How to Manage It, Attack It, and Counter It

The following article is associated with a JumpCloud webinar on password management featuring KnowBe4 Data-Driven Security Evangelist Roger Grimes. Many of the stats and figures in this article are reflections of data presented in the webinar. Watch the full webinar recording here.

In chess, the Queen’s Gambit opening is all about controlling the center of the board from the get-go. Its popularity and effectiveness make it a pervasive sequence that every seasoned chess player needs to know how to recognize, play, attack, and counter.

Much like the Queen’s Gambit, reliable password management and security require a comprehensive understanding of common threats and strategic offensive and defensive tactics to defend against them. Every system administrator needs to know how to recognize common attacks and develop measures to manage and counter them. 

In this blog, we’ll discuss the risks of relying on passwords alone, detail common password attack vectors, and outline best practices for maintaining reliable password security in your organization.

Why Not Let Passwords Do the Work?

In theory, passwords prevent anyone but the intended, authorized user to access a resource. In practice, however, several factors – ranging from user error to advanced hacking techniques – diminish the reliability of the traditional password. Some of the most common and critical password risks include:

Password Recycling

In an ideal world, every password would be unique. However, no matter how often employers ask employees to use a different password for every resource, employees will still repeat passwords. The average user logs onto over 170 websites with fewer than 20 passwords (most have between 3 and 19). 

When users do try to use a different password for every website, they tend to make them simple and easy to crack; if they had to remember unique and complex passwords for all 170+ websites, they would likely have to frequently reset them, which generates another set of security vulnerabilities. 

Advanced Password Cracking Techniques

Even if employees did follow password best practices, hackers have several methods for cracking them, including: 

• Physical attacks: This attack type is often borne from poor in-office password practices. In physical attacks, the hacker uses passwords made physically available – like network passwords posted to an office wall or login credentials taped to a computer – to gain access to accounts.

• Social engineering: This method, which involves finding and using someone’s personal information to convince them to give out their credentials, is one of the most common. It works because hackers can find a significant amount of personal data – from job title and boss’s name to nicknames, family members, and address – online. They use this information to craft personalized emails, SMS messages, phone calls, and other convincing phishing bait.

• Guessing: It turns out that guessing a password is easier than it may sound. Even when system administrators set password parameters (like a minimum character limit, capital letter, special character and number), many employees follow common patterns and use real words. For example, most passwords have their capitalized letter first – and it’s usually a consonant, followed by a lower-case vowel. The number usually comes last (often a 1), followed only by the special character (usually an exclamation point). If an employee followed this pattern and used something close to them – like a child’s name or favorite team – many hackers could likely crack the password with guessing alone. Sophisticated password guessing malware further bolsters this technique by methodically guessing the most common passwords. 

• Password Hash Stealing: Most authentication systems use password hashes, or cryptographic representations of a password’s input, to encrypt, and store plain-text input passwords. Applications and operating systems use several different hashing algorithms (modern Windows systems use NT; Linux and Mac may use MD5, SHA-1 or SHA-2; bcrypt is a highly secure alternative). 
  
  Hackers can steal password hashes, but it’s one of the more difficult hacking methods. For someone to effectively steal and use a password hash, they would need elevated system access (like administrator or root), a password theft tool, and a hash cracking tool. 
  
  Most hash cracking tools compare hashes to a database of existing hashes (often called rainbow tables); if they find a match, they can reverse-engineer the password back to its plain-text original. With the help of GPU rigs and cloud-sourced compute power, hackers can attempt hundreds of billions of passwords per second – the world record is currently 350 billion attempts per second. An 8-character NT-hash password would take about 12 minutes to crack using $25 worth of cloud processing power.

• Account Takeover Recoveries: With this method, hackers use the password reset function to take over account access. They often accomplish this by guessing the answers to security questions.

Unfortunately, security questions aren’t necessarily secure. Most answers can be found online (like mother’s maiden name), and many are guessable (like favorite car – there are only so many models, and favorites will likely be iconic or expensive ones). In fact, hackers guess security questions correctly about 20% of the time.

What’s more, many people can’t remember their own answers – a whopping 40% of people forget the answers to their security questions. 

Because passwords face significant risk, protecting IT resources with passwords alone makes them critically vulnerable – anything from a password written down to an account takeover could lead to a major data breach. To counteract this, businesses are turning to a layered approach to security that makes the password one of many defenses in their account security strategy. 

The Queen’s Gambit of Password Security: A Three-Layered Approach

As passwords cannot provide infallible security, they should not be the only security measure between a user and resource access. This is where the Queen’s Gambit comes in: system administrators need to be prepared to manage, attack, and counter password threats with a proactive access control plan from the outset – not just as a response to incoming issues. Consider these steps to developing a proactive “Queen’s Gambit” approach to password management.

1. Manage Passwords Effectively

While passwords aren’t the only layer of defense in this approach, they should still follow best practices to make them as secure as possible within reason for the real-world user. Consider the following policies and tools for your password management plan. 

• Password Managers: Password managers are critical to security because they eliminate the need for balance between password security and memorability. In short, single sign-on (SSO) password managers store, retrieve, and generate secure login credentials behind heavy encryption. 
  
  Without a password manager, human memory limits password security. Password managers randomize and save passwords so the user doesn’t have to compromise on uniqueness or complexity to remember them. This prevents several password cracking methods.

• Create Password Policies: Password policies can prevent – or at least hinder – most password attack types. However, NIST guidelines state that too-stringent password requirements can actually decrease password security, because they cause employees to either forget their passwords often or find work-arounds (like simply writing them down). System administrators should strive to balance requirements with usability and account sensitivity, like increasing parameters for hyper-sensitive accounts and relaxing parameters for low-stakes use.

• Length: NIST now recommends prioritizing password length over password complexity. While the NIST-prescribed minimum length is 8 characters, every additional character makes the password exponentially more secure. For this reason, JumpCloud recommends a longer minimum of around 16 characters.

• Complexity requirements: While length is now the most important password security element, complexity requirements still add a helpful layer to employees’ password defenses. Some of the complexity guidelines NIST lists include:
  
  • Use of both upper-case and lower-case letters.
  • Use of a special character.
  • Prohibiting sequential characters, like “1234” or “aaaa.”
  • Prohibiting dictionary words. 
  • Prohibiting referential words or phrases, like the name of the user or service. 
  • If your company does not use a password manager, consider easing up on certain complexity requirements based on the sensitivity of the service. 

• Password Expiration: Setting passwords to expire after a certain amount of time keeps password health up and prevents compromised passwords from remaining in play for too long. For system administrators trying this method out for the first time, a six-month expiration period provides a healthy balance between security and usability. Some tools also allow users grace periods where they can still reset their passwords for a given amount of time after they expire. Note that this can be a controversial topic and generally, if password length is long (think 20+ characters), the need to rotate passwords goes down.

• Lockout policies: To guard against guessing attacks, consider setting a password attempt limit after which the user is locked out. 

• Treat Recovery Questions Like Passwords: To combat security questions’ questionable reliability, encourage employees to treat these questions like passwords, with the answer unrelated to the question. For example, “pizzapizza$vgad2@M1” might be the answer to the security question, “What was your high school mascot?” Password managers can help store these answers to discourage employees from recording them manually. 

• Single Sign-On: Single sign-on (SSO) solutions both prevent user error in password security and enable easy de-provisioning in case of an incident or employee off-boarding. With SSO, employees can use one secure login (often layered with MFA) to access multiple applications and IT resources. 
  
  When configured with SAML, OAuth, OIDC, and LDAP connectors among others, an SSO service can grant employees access to just about every application they need while only requiring them to memorize and input one set of login credentials.  
  
  Further, this service bundling allows system administrators to revoke user access quickly and in bulk when off-boarding, changing a user’s role and permissions, or responding to a security event.
  
  KnowBe4 security expert Roger Grimes highly recommends single sign-on as a “best of both worlds” solution that combines password complexity and MFA seamlessly. Watch his full password security overview in JumpCloud’s recent password management webinar.

2. Attack Login Attempts With Multi-Factor Authentication

Despite best practices, the password’s increasing vulnerability and openness to attack make it a poor security method when used alone. Instead of relying on one fallible data point to grant or deny access, companies are now encouraged to add at least one other layer of security with multi-factor authentication (MFA, often called two-factor authentication or 2FA). 

With MFA, the password is one of two (or more) security factors the user inputs to prove their identity. This additional factor can be:

Something the User Knows: This is a secret code or information the user knows; traditional passwords and PINS fall into this category.

Something the User Has: This can be a time-based one-time password (TOTP) sent to an authenticator app or security key. It can also be a push notification to the user’s device.

Something the User Is: This is typically biometric data, like a fingerprint or facial recognition. 

With MFA, even a hacker’s ability to steal a password doesn’t automatically grant them account access; they would also need timely access to another secure data point or item associated with the user. For this reason, MFA drastically decreases the chance of a breach. 2FA may just be the silver bullet to protecting against password compromises.

3. Counter Login Attempts With Conditional Access

When a login attempt comes through, there are more options than accepting or denying it: the system can counter with conditional queries that may automatically admit or deny access or prescribe additional steps. This is often referred to as step-up authentication.

For example, an organization may automatically deny access to the central network if a user tries to log in from a non-secure network, regardless of a successful password and MFA submission. However, if that user attempted to log into the central network from a known device and known LAN with the correct password, the system may bypass the MFA requirement, considering the device, password and location enough information to admit the user.

System administrators can configure conditional access requirements to either prioritize security, streamline the user experience or balance the two. Most aim for a balance; a combination of the two policy examples above, for example, would satisfiably reconcile security and friction for many organizations.

Taking a Zero-Trust Approach 

Zero Trust security trusts nothing and verifies everything. This approach forms the basis of a robust security model that employs secure password practices, MFA, and conditional access. With a goal to ensure that every access transaction is secure, the Zero Trust security model has been built for modern organizations where users and IT resources can be anywhere in the world, but rely on ensuring that the right people have the right access levels.

JumpCloud is a cloud-based directory platform with a zero-trust security approach that manages, attacks, and counters IAM threats from virtually every angle. In reimagining the directory, JumpCloud has created a policy-driven IAM environment that offers highly customizable security parameters that integrate with directory-defined users, groups and devices for layered, intuitive security. In short, JumpCloud’s goal is to ensure that every access transaction is properly verified for identity, device health, network path, and access rights, thereby ensuring that only the right people have the right access.

JumpCloud is free to try for your first ten users and devices – sign up now to get your employees secure access to the IT resources they need, no matter where they are. 

Watch the Password Management “Queen’s Gambit” Webinar

Recently, KnowBe4 Data-Driven Security Evangelist Roger Grimes joined JumpCloud in a webinar on password management and security. In the webinar, Grimes and JumpCloud experts discussed the problems with passwords and the path toward robust identity security based in zero-trust. Watch the webinar recording to dive into the real-world insights and solutions it covered.