Keeping Passwords Hard to Predict
Passwords are meant to be secrets shared between a user and the server they’re authenticating to. If attackers can predict those passwords, they can bypass this defense. Here are a couple steps we can take to keep it difficult for an attacker to predict a password.
Never Use Default Passwords
We covered this back in Default Passwords, but it’s worth mentioning again. Never use default passwords.
Monitor Password Dumps for Password Reuse
It’s worthwhile to consider the ways credentials can be compromised. In general, it’s much more likely for a password to be stolen from a server or phished than it is to be brute forced.
Brute forcing passwords through the front end of a web application is impractical. It’s a noisy attack that can be stopped by account locking or by slowing down login attempts. Even if there is no automated defense, it’s just slow. And brute forcing one account does nothing to speed up compromise of a second account.
A more likely attack is to try passwords from another compromised account. An attacker can compromise other sites or use passwords from password dumps from other compromised sites. Both of these sources give an attacker a combination of login/password pairs, so they can be very effective given how common password reuse is.
We can defend ourselves against this by monitoring published password dumps and see if any of our users’ credentials are listed. You can set up your own monitoring system by searching online for password dumps. The specifics of where to look are likely to change over time, but at the time of this writing a good starting point is to search Pastebin for your users’ email addresses.[93] Alternately, you can use a service such as Troy Hunt’s “Have I Been Pwned?” to notify you when users from your domain show up in password dumps.[94]
Prevent Password Reuse Via Password Strength Requirements
A defense that’s covered in more detail in the Password Policy, Windows chapter is to require long passwords. It is unlikely that any of your users use long passwords elsewhere, so compromise of unrelated third-party websites is unlikely to impact you if you require long passwords. If users are security conscious enough to already be using long passwords on their personal accounts, they probably don’t reuse passwords.