Weak Passwords: Risks & Fixes

TL;DR

Using weak passwords or easily guessable random number sources (entropy) is a massive cyber security risk. This guide shows you how to identify and fix these problems, making your systems much safer.

Understanding the Problem

Weak entropy means that it’s easy for someone to predict what a password or randomly generated key will be. This could happen if:

• You’re using simple passwords like ‘password123’.
• Your systems use predictable random number generators (RNGs).
• You’re not enforcing strong password policies.

Attackers can exploit weak entropy to gain access to your accounts, data, and systems.

Step-by-Step Solution

1. Check Password Strength Policies: Most operating systems and applications have settings for password complexity.
• Minimum Length: Aim for at least 12 characters, preferably more.
• Complexity Requirements: Enforce a mix of uppercase letters, lowercase letters, numbers, and symbols.
• Password History: Prevent users from reusing old passwords. A history of 24-36 passwords is good practice.
2. Use Password Managers: Encourage (or require) the use of password managers like Bitwarden, LastPass or KeePass. These generate and store strong, unique passwords for each account.
3. Enable Multi-Factor Authentication (MFA): MFA adds an extra layer of security, even if a password is compromised. Use authenticator apps (Google Authenticator, Authy), hardware tokens, or SMS codes (though SMS isn’t the most secure).
4. Audit Existing Passwords: Regularly check for weak or compromised passwords.
   • Linux/Unix Systems: You can use tools like john to crack password hashes and identify weak ones. Be careful using these on live systems!

     john --wordlist=/usr/share/wordlists/rockyou.txt /etc/shadow

   • Windows Systems: Use the Password Policy Auditor or PowerShell scripts to check against complexity requirements.
5. Review Random Number Generation (RNG) Sources: This is more technical, but crucial.
   • Avoid predictable sources: Don’t use timestamps, process IDs, or other easily guessable values as seeds for RNGs.
   • Use cryptographically secure RNGs: Most modern systems provide these.
   • Linux/Unix: Use /dev/urandom instead of /dev/random (unless you have specific reasons to use the latter).

     head -c 20 /dev/urandom | xxd

   • Windows: Use CryptGenRandom() API function.
   • Check for biases: Test your RNG output to ensure it’s truly random and doesn’t have patterns.
6. Regular Security Scans: Run vulnerability scans that include password strength checks.
7. User Education: Train users about the importance of strong passwords and cyber security best practices. Explain the risks of reusing passwords or using easily guessable information.

Important Considerations

• Password Reset Policies: Ensure password reset processes are secure and don’t allow easy guessing of answers to security questions.
• Key Rotation: Regularly change encryption keys generated using RNGs, especially for sensitive data.