Network Security: Passwords and Human Error

A past IBM cyber security intelligence index report concluded that 95% of security breaches are caused by human error. Human error definitely includes password choices by users. It also includes password requirements and password storage by systems administrators. Passwords are a large part of network security. Hackers can use a technique called "password guessing" in which they manually enter passwords at a log-in prompt to gain access to an account when they have a valid user name. There are tools to automate this guessing process, known as an online attack, including Medusa, Ncrack, and Hydra.

These tools were built to help companies secure their networks as security specialists can test hosts and networking devices for poor passwords. These tools are used to audit devices as well. Online attacks can also be used to check that your firewalls, IDSs, and IPSs detect when a server gets bombarded with unsuccessful log-in attempts and that accounts lock in a short period when this happens. Password guessing through manual or automated means is obviously very noisy, so hackers need a better way to do it. Passwords should never be stored in plain text in databases. Storing passwords in plain text allows them to be used immediately after they're stolen. Passwords should be stored in a strong hash format since hashing is a one-way function. 

In many of the data breaches of recent years, stolen password databases contain passwords that were either stored in plain text or hashed with weak algorithms like MD5 or SHA-1. The current standards of hashing include SHA-256 and SHA-512, both forms of SHA-2.

On Linux systems, password hashes are stored in the etc/shadow file. Most Linux distros use SHA-512 with something called "SALT".

On Windows systems, password hashes are stored in the SAM file located at C:windows\system32\config\SAM. Some Microsoft documentation expands SAM to Security Account Manager while other Microsoft documentation expands SAM to Security Accounts Manager. On Windows domain controllers running Active Directory, password hashes are stored in the NTDS.dit file located at C:windows\NTDS\NTDS.dit. The Windows NTLM, Lan Manager Protocol Suite, actually uses MD4 without SALT for storing Windows hashes.

Websites that we log into store passwords in a backend database likely using the MySQL relational database management system. If a hacker enters the stolen hash into the password field, the hash itself would be hashed, so the attacker won't do that. What happens when a database containing hashed passwords are stolen? The hackers have three attack options after they steal the hashed password database. The first is called a "brute force attack" which uses a tool that generates a file containing all possibilities of letters, numbers, and symbols given a minimum and maximum length. The second is a dictionary attack which uses common words and their variations instead of trying all possibilities like a brute force attack does. The third is a rainbow table attack which requires more processing but less storage than a dictionary attack.