The Sure Risk of Weak Passwords

Share on facebook
Share on linkedin
Share on twitter
Share on print
Share on email

Passwords at times fail to fulfill the intended purpose of authenticating users because password strength may not be given due consideration. A password is deemed strong if it is hard to guess, that is, not a dictionary word or personally identifiable, and is a good long string made of combination of numbers, letters and special characters. On the contrary, weak passwords are usually small in length, consisting of dictionary words, default passwords and pet names which render them highly prone to password cracking by criminals.

The best way to educate organizations on the importance of password strength is to demonstrate how easy it is for an adversary to recover weak passwords and we shall therefore take a look at a certain organization. Mr. Dismas, who’s a procurement officer received a phishing email and was unfortunately tricked into downloading the “new offer” update onto his machine which was a carrying malicious payload.

Downloaded malicious executable

The  attacker after employing a social engineering methodology to the Dismas who successfully invoked into downloading the malicious file which the attacker earlier on created the newoffer file.

Creating malicious payload

Attempting to run the newoffer file by Dismas it happened so that the interaction of Dismas with the file caused TCP reverse shell (a session) creation back at the attacker’s machine using a listener which is setup by the attacker on Kali Linux OS.

Getting meterpreter session

The attacker escalates to system privileges so as to have enough control over the system.

Elevating privileges

After gaining elevated privileges, the attacker uses hashdump command on the meterpreter in order for the system to output password hashes. These hashes are subsequently run through an offline cracking tool, John the Ripper, and the user credentials unveiled.

Using hashdump command to get password hashes
Passwords cracked with John the Ripper

We can see two user account passwords cracked: happy and secret. Well, were these users safe as they thought?

Here are some factors for ensuring strong password security:

  • Length of password should at least be eight characters
  • Include upper-case [A-Z] and lower-case letters [a-z]
  • Have one or more numbers [0-9]
  • Make use of special characters [! ~ . / \ | { } [ ] ( ) – _ +@%& = ; ‘ : ” ]
  • Avoid passwords that match pet names or formats of telephone numbers, vehicle number plates, calendar dates, etc.

Join Summit Consulting Ltd in partnership with IFIS on our annual cyber-security awareness and risk management conference, which is scheduled to take place from the 16th – 18th October 2019. You need to get sensitized about  how to ensure security for your classified information with the aid of hard-to crack passwords, and to get handy cyber hygiene for your daily data practices that wouldn’t land your data in the hands of the criminal in the cheapest means.

For more details and registration procedure, please click here


Test your Knowledge. Take a Quiz

Subscribe Now to our Newsletter

Subscribe for free news letter and be transformed.