Election Security Spotlight – Password Attacks
What it is
A password attack refers to any of the various methods used to maliciously authenticate into password-protected accounts. These attacks are typically facilitated through the use of software that expedites cracking or guessing passwords. The most common attack methods include brute forcing, dictionary attacks, password spraying, and credential stuffing.
- Brute forcing is the attempt to guess a password by iterating through all possible combinations of the set of allowable characters.
- Dictionary attacks try to guess passwords by iterating through commonly used passwords, such as words found in the dictionary and simple variations on them.
- Rather than trying multiple passwords against one account, password spraying tries a small number of common passwords against many accounts in hopes of accessing at least one of them. This method helps avoid account lockout rules and is more difficult to detect.
- Cyber threat actors exploit end users' tendency to reuse passwords through credential stuffing. This involves utilizing breached usernames and passwords to attempt (or "stuff") a large number of login requests into a different website in hopes that some users have reused the breached usernames and passwords.
These are the most common "front end" attacks, in which malicious actors try to compromise accounts through login portals. There is another set of attacks that go after the password storage. As attackers often choose the path of least resistance, it's critical to protect against both types.
Why it matters
Password attacks perennially top the list of data breach attack vectors. While they are relatively easy and low cost to mitigate, many organizations do not have properly implemented safeguards. Even when organizations implement multi-factor authentication
(MFA), passwords typically serve as one of the factors. Furthermore, malicious actors typically compromise accounts in order to facilitate other consequences, such as data exfiltration, facilitated phishing, or the introduction of malware onto networks.
What you can do
In order to protect your organization from password attacks, election officials should work with their security staff to implement the password guidance
in the National Institute of Standards and Technology's
Special Publication 800-63B
Digital Identity Guidelines, Authentication and Lifecycle Management. This guidance details requirements for passwords that can render the attacks above inefficient or ineffective, methods for the proper storage of passwords, and strategies aimed at defending against password attacks. Well-created and well-protected passwords afford a limited amount of protection. Use MFA to protect all sensitive accounts and information.
Below are some of the highlights of the NIST password guidance. The guidance explains implementation in much greater detail for your technical staff:
- Encourage the use of passphrases rather than passwords by allowing whitespace and long (at least 64 characters) passphrases. Passphrases should be a minimum length of 15 characters.
- If you require a passphrase of 15 or more characters, there is no need to require composition rules, such as upper and lower-case letters, numbers, or special characters. This blog post explains why passphrases are better for both usability and security.
- Neither passwords nor passphrases alone should ever be used to protect sensitive information. For anything sensitive or of substantial value to your organization, protect user accounts with MFA.
- Rather than having a set expiration on passwords force changes only when there is a reason to believe there was a compromise. To avoid issues of password reuse, check against previous breach data when users create their passphrases.
- Do not allow password "hints."
- Allow paste functionality in password fields so users can use password managers. Consider issuing password managers to your users.
- Properly salt and hash stored passwords.
The EI-ISAC Cybersecurity Spotlight is a practical explanation of a common cybersecurity concept, event, or practice and its application to Elections Infrastructure security. It is intended to provide EI-ISAC members with a working understanding of common technical topics in the cybersecurity industry. If you would like to request a specific term or practice that may be of interest to the elections community, please contact firstname.lastname@example.org