Apono specializes in just-in-time access governance technology for humans, machines, and AI agents.

The post 1Password Acquires Apono in Reported $250M-$300M Deal appeared first on SecurityWeek.

1Password says AI coding agents should never hold persistent secrets, introducing a just-in-time credential model for OpenAI Codex designed to keep credentials out of prompts, code repositories, and model context.

The post 1Password Teams With OpenAI to Stop AI Coding Agents From Leaking Credentials appeared first on SecurityWeek.

Derrick Rauch and Kent Ickler // (Updated 3/22/2019) First, to see what our build looks like, look here: https://www.blackhillsinfosec.com/build-password-cracker-nvidia-gtx-1080ti-gtx-1070/ What’s next? Time for System Rebuild! First, you need to decide whether you […]

The post Running HashCat on Ubuntu 18.04 Server with 1080TI appeared first on Black Hills Information Security, Inc..

David Fletcher// The weak password policy finding is typically an indicator of one of two conditions during a test: A password could be easily guessed using standard authentication mechanisms. A […]

The post Finding: Weak Password Policy appeared first on Black Hills Information Security, Inc..

Carrie Roberts* // (Updated, 2/11/2019) Trying to figure out the password for a password protected MS Office document? This free solution might do the trick. It attempts to guess the password […]

The post How to Crack Passwords for Password Protected MS Office Documents appeared first on Black Hills Information Security, Inc..

Kent Ickler // The Task Buy The Things: Total for new password cracking machine$5110 A Few Quick Lessons The CPU cooler doesn’t actually clear the case cover. This was OK […]

The post How to Build a Password Cracker with NVidia GTX 1080TI & GTX 1070 appeared first on Black Hills Information Security, Inc..

Brian Fehrman // In our experience, we see many Windows environments in which the local Administrator password is the same for many machines. We refer to this as Wide-Spread Local […]

The post Wide-Spread Local Admin Testing appeared first on Black Hills Information Security, Inc..

Brian King // There’s a one-liner password spray script that a lot of folks use to see if anyone on a domain is using a bad password like LetMeIn! or […]

The post Check\ Your\ Tools appeared first on Black Hills Information Security, Inc..

Your internet account passwords are probably among the most guarded pieces of information you retain in your brain. With everything that has recently migrated to the digital realm, a secure password functions as the deadbolt to your private data.. Hackers understand how valuable this personal data is, and so Account Takeover Attacks—where malicious actors gain unauthorized access to your accounts—remain the most common cyber-attack vector.

Internet users’ passwords are frequently exposed in bulk via password combo lists, which are sets of credentials harvested from data breaches, and this has taught us the importance of using a unique password for every service we sign up for. This prevents a hacker from using your email address and one of your known (exposed) passwords—say, for website A—and checking to see if it successfully logs in to website B, C, D, etc., until they find that it works on website E.

With that said, even if all of your passwords are unique, if they are often not complex enough or of adequate length, hackers can often succeed in guessing your current passwords by using permutations of your previously exposed passwords, known information about you, or even checking against a list of commonly used passwords.

How Do We Know What Constitutes A Secure Password?

The National Institute of Standards and Technology (NIST) is an organization that helps us with this. NIST researchers create drafts for things like password requirements, publish them for a community of experts to submit their comments, and compile a published standard. Therefore, whenever you’re asked to create or reset a password and are given a set of requirements the password must meet, these are based on standards most likely set forth by NIST. It’s important for any organization that manages users’ passwords to stay up to date with NIST requirements for passwords.

One example of an existing NIST password standard is checking for exposed passwords against previous data breaches. For several years now, NIST publication 800-63B has included the need to check with previously exposed passwords in data breaches. “When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly used, expected, or compromised. For example, the list MAY include, but is not limited to, passwords obtained from previous breach corpuses.” This helps ensure that users are no making their accounts more vulnerable by using a known-exposed password.

NIST recently published a new draft standard for passwords, adding new recommendations to make passwords even stronger; below are the suggested changes and why they’re important:

1. Require passwords to be a minimum of 8 characters, with a recommended minimum length of 15 characters.
   1. Why this is important: The longer your password is, the harder it is to guess your password. Even when trying to guess your password via brute force, long passwords require significant computing time, even for advanced computers, to guess correctly.
2. Allow passwords to be up to 64 characters long.
   1. Why this is important: Again, longer passwords are more secure. Allowing users up to 64 characters creates even more secure passwords.
3. Accept all printing ASCII [RFC20] characters and the space character in passwords.
   1. ASCII characters represent the rudimentary western characters used in typing—there are 95 printing characters in the ASCII set.
   1. Why this is important: Allowing all printing ASCII characters is like having more colors to paint with. Consider being asked to create a 4-digit password using only numerals. We know there are only 10,000 possible combinations since there are only 10 numerals, zero through nine, and a series of four of them means we have a possible 10 raised to the 4^th power combinations. Now, consider a 4-character password that allowed all 95 ASCII printing characters; that’s 95 raised to the power of 4, or 81,450,625 possible combinations. That creates a much more secure password because it is exponentially more difficult to guess.
4. Accept Unicode [ISO/ISC 10646] characters in passwords, with each Unicode point counting as a single character towards password length.
   1. Unicode is an international standard for written characters and emojis, covering 168 modern and historical scripts and symbol sets, encompassing a total of 155,063 total characters.
   1. Why this is important: This expands on the benefit of allowing all ASCII characters, but with exponentially larger results. If we repeat our thought experiment of creating a 4-character password, but each character can be one of 155,063 possibilities, we wind up with 578,139,610,000,000,000,000 possible combinations—and that’s with a 4-character password, which is only half the minimum required password length.
5. Stop requiring arbitrary password complexity, like forcing the use of special characters or a mixture of numbers, letters, and symbols.
   1. Why this is important: It may seem counterintuitive, but research shows that this is a beneficial change. The option to use special characters is excellent for those who want an additional layer of security; however, longer passwords are more effective than short and complex passwords and are typically easier to remember too.
   1. This XKCD comic does a great job of explaining this concept: https://xkcd.com/936/
6. Stop requiring periodic password resets on specified intervals unless there is evidence of password compromise.
   1. Why this is important: Have you ever logged in to your computer at work, only to be forced to change your password because 90 days had elapsed since you had last changed your password? This can be extraordinarily frustrating, as you may have a perfectly good password that you can actually remember, but now are forced to change it. In theory, this may sound like a good idea, but when you apply human behavior to the mix, you’re more likely to compel the user to create a weaker password. Consider that you know you’ll be required to change your password every so often—it’s only natural to select a password that fits into a sequence or follows a pattern, because of course that’s easier to remember. But a sequence of passwords that follow a pattern aren’t much more secure than the first password in the sequence.

But should there be an indication of a problem—it’s not a bad idea to compel password changes. For example, if your password is found exposed on the dark web, this is an excellent time to change it. Or if your organization suffers a security incident where it’s believed users’ passwords may have been compromised, this is a great time to change your password. But absent any evidence of such problems, it may be best to let users keep their passwords the same.

• Stop allowing users to save password hints.
  • Why this is important: Password hints can be helpful to both the account owner and a hacker trying to gain access to the account. Getting rid of password hints makes it that much more difficult to get into your account.
• Stop requiring users to answer security questions to reset forgotten passwords.
  • Using security questions (i.e., What was your favorite teacher’s name?) to authenticate the user’s identity presents another weak point—as a hacker may be able to guess your answers to security questions. In the event of a forgotten password, it’s best to verify the user’s identity through other methods before allowing them to reset their password.
• Verify the entire password, not a truncated/substring of the password.
  • Why this is important: This guideline is for what NIST calls “verifiers,” or the entity that verifies you’ve entered the correct password (i.e., the site you’re logging in to). Unfortunately, it is somewhat commonplace to truncate the entered password, usually due to technical limitations. For example, if an app is only designed to store eight-character passwords, but allows users to create longer passwords, it might only consider the first eight characters of the password when authenticating the user. Clearly, this undermines password minimum length, and therefore NIST recommends that the entire password is considered.

Even with these modernized guidelines for optimal password security, the unfortunate reality remains that passwords are exposed on the dark web by malware known as info stealers, and hackers work to find ways to guess and crack passwords. This is where Constella Intelligence comes in—with the largest data lake of exposed passwords and PII; you can leverage Constella’s data to determine if you or your users have a compromised password or any vulnerabilities hackers can exploit to gain unauthorized access to your accounts. Contact us today for a demo.