The Sure Risk of Weak Passwords

Passwords at times fail to fulfill the intended purpose of authenticating users because password strength may not be given due consideration. A password is deemed strong if it is hard to guess, that is, not a dictionary word or personally identifiable, and is a good long string made of combination of numbers, letters and special characters. On the contrary, weak passwords are usually small in length, consisting of dictionary words, default passwords and pet names which render them highly prone to password cracking by criminals.

The best way to educate organizations on the importance of password strength is to demonstrate how easy it is for an adversary to recover weak passwords and we shall therefore take a look at a certain organization. Mr. Dismas, who’s a procurement officer received a phishing email and was unfortunately tricked into downloading the “new offer” update onto his machine which was a carrying malicious payload.

Downloaded malicious executable

The  attacker after employing a social engineering methodology to the Dismas who successfully invoked into downloading the malicious file which the attacker earlier on created the newoffer file.

Creating malicious payload

Attempting to run the newoffer file by Dismas it happened so that the interaction of Dismas with the file caused TCP reverse shell (a session) creation back at the attacker’s machine using a listener which is setup by the attacker on Kali Linux OS.

Getting meterpreter session

The attacker escalates to system privileges so as to have enough control over the system.

Elevating privileges

After gaining elevated privileges, the attacker uses hashdump command on the meterpreter in order for the system to output password hashes. These hashes are subsequently run through an offline cracking tool, John the Ripper, and the user credentials unveiled.

Using hashdump command to get password hashes
Passwords cracked with John the Ripper

We can see two user account passwords cracked: happy and secret. Well, were these users safe as they thought?

Here are some factors for ensuring strong password security:

  • Length of password should at least be eight characters
  • Include upper-case [A-Z] and lower-case letters [a-z]
  • Have one or more numbers [0-9]
  • Make use of special characters [! ~ . / \ | { } [ ] ( ) – _ +@%& = ; ‘ : ” ]
  • Avoid passwords that match pet names or formats of telephone numbers, vehicle number plates, calendar dates, etc.

Join Summit Consulting Ltd in partnership with IFIS on our annual cyber-security awareness and risk management conference, which is scheduled to take place from the 16th – 18th October 2019. You need to get sensitized about  how to ensure security for your classified information with the aid of hard-to crack passwords, and to get handy cyber hygiene for your daily data practices that wouldn’t land your data in the hands of the criminal in the cheapest means.

For more details and registration procedure, please click here

Share this

Latest

Most Recent Insights

Most Popular Insights

DOWNLOADABLE RESOURCES

Categories

Related Articles

Overcoming rejections: Here is how to excel at face-to-face job interviews

On 16th June 2019, a young man who has just completed a bachelor’s degree in Computer Engineering requested for an appointment with me via

What makes a good board chairperson, part 3

A good board chair guides the board to provide clear templates and tools to facilitate consistent reporting. This saves the board’s time and facilitates

Understanding the role of the board in value addition

What is the role of the Board? The board’s mandate is to provide strategic guidance that includes strategic direction and strategic oversight. Strategic direction

How do you make decisions?

Most people especially leaders make decisions based on hearsay. Hearsay might be good but it can’t be a basis against which you make decisions.

About Author