Proper password security can prevent a cyber-attack
The level of password security and the accessibility of your business network for cyber attackers are often correlated. A brute force attack is a technique hackers use to gain access to an internal network. They use a variety of password-guessing and hash-cracking techniques. A password security test shows how many hashes in your user directory can be cracked.
The consequences of password breaches can be critical, as an attacker who enters the internal network gains the rights of a user with a compromised password and can escalate the rights of an ordinary user into a system administrator using appropriate techniques (i.e., privilege escalation). From this point on, the attacker is no longer restricted within the internal network.
CISOs and network administrators often have to balance between a tight and user-friendly password policy. There is a discrepancy between policy-compliant passwords and objective criteria for password resilience.
Example of a password security gap:
The password Spring2023! may be compliant with the password policy, but it is entirely inappropriate from the security aspect, as using appropriate software, it can be cracked in just a few seconds.
This aspect can be significantly improved if you implement an adequate password policy and, at the same time, educate your users on the importance of cyber security.
The password security test shows how secure the passwords used in your IT system are.
How do we do the test?
Attackers try to get passwords by cracking hashes. A hash is a unique value of letters and numbers generated from your password by an encryption algorithm.
Hackers can capture a hash during the user authentication process. Using advanced decryption methods, they try to decrypt them back into passwords.
Carbonsec password security test includes the following steps:
- You deliver the export of hashes from your active directory.
- We try to crack the hashes from your directory using custom-made tools and dictionaries.
- We deliver test results according to a preliminary agreement and your security policy.
- We offer consulting with a pentester who can advise you on how to improve password security.
How do you benefit from a password security test?
The information you get from the test to some extent depends on your internal security policy and includes:
- The information on the adequacy of your security policy (whether it is strict enough, how it can be bypassed, etc.),
- The number of hashes cracked,
- The reason why the hash could have been cracked:
- Complexity,
- Length,
- The password has already been cracked and leaked,
- A part of the password has already been leaked,
- How fast was the password cracked,
- How many users have the same password,
- The type of passwords most at risk in your environment – user, administrator or service passwords.
Based on the obtained data and recommendations, you can design an awareness training programme for your employees and improve password security in your business environment. You can also offer your employees the opportunity to consult the pentester, who will provide information on why the password was compromised and how it can be strengthened.
The test report includes a summary report for executives and decision-makers, as well as a detailed technical report with descriptions of the security weaknesses detected, statistics and recommendations for improvement.
IMPORTANT: The password security test does not disclose passwords, only their weaknesses.
