The Hacker News Logo
Subscribe to Newsletter
CrowdSec

The Hacker News - Cybersecurity News and Analysis: password security

Cost of Account Unlocks, and Password Resets Add Up

Cost of Account Unlocks, and Password Resets Add Up
April 22, 2021The Hacker News
There are many labor-intensive tasks that the IT service desk carries out on a daily basis. None as tedious and costly as resetting passwords. Modern IT service desks spend a significant amount of time both unlocking and resetting passwords for end-users. This issue has been exacerbated by the COVID-19 pandemic. Causes of account lockouts and password resets End-user password policies, such as those found in Microsoft Active Directory Domain Services (ADDS), typically define a  password age . The password age is the length of time an end-user can keep their current password. While  new guidance from NIST  recommends against the long-held notion of forced password changes, it is still a common and required security mechanism across other compliance standards and industry certifications such as PCI and HITRUST. When the password age is reached for the user account, the user must change their account password. It is generally prompted at the next login on their workstation. This sce

Passwordless: More Mirage Than Reality

Passwordless: More Mirage Than Reality
April 19, 2021The Hacker News
The concept of "passwordless" authentication has been gaining significant industry and media attention. And for a good reason. Our digital lives are demanding an ever-increasing number of online accounts and services, with security best practices dictating that each requires a strong, unique password in order to ensure data stays safe. Who wouldn't want an easier way? That's the premise behind one-time passwords (OTP), biometrics, pin codes, and other authentication methods presented as passwordless security. Rather than remembering cumbersome passwords, users can authenticate themselves using something they own, know, or are. Some examples include a smartphone, OTP, hardware token, or biometric marker like a fingerprint. While this sounds appealing on the surface, the problem is that, when you dig deeper, these passwordless solutions are still reliant on passwords. This happens in two primary ways: Passwordless Solutions Rely on Passwords as a Fallback If you ha

NIST and HIPAA: Is There a Password Connection?

NIST and HIPAA: Is There a Password Connection?
April 08, 2021The Hacker News
When dealing with user data, it's essential that we design our password policies around compliance. These policies are defined both internally and externally. While companies uphold their own password standards, outside forces like HIPAA and NIST have a heavy influence. Impacts are defined by industry and one's unique infrastructure. How do IT departments maintain compliance with NIST and HIPAA? We'll discuss each compliance measure and its importance in this article. What is NIST compliance? Defined by the National Institute of Standards and Technology, NIST compliance aims to harden federal systems against cyber-attacks. While the agency is non-regulatory, it  is  part of the U.S. Department of Commerce, which has plenty of influence over government agencies and their contractors. For example, NIST guidelines help agencies  satisfy the requirements of the Federal Information Security Management Act  (FISMA). NIST is instrumental in creating Federal Information Proce

Why Cached Credentials Can Cause Account Lockouts and How to Stop it

Why Cached Credentials Can Cause Account Lockouts and How to Stop it
March 18, 2021The Hacker News
When a user account becomes locked out, the cause is often attributed to a user who has simply entered an old or incorrect password too many times. However, this is far from being the only thing that can cause an account to become locked. Another common cause, for example, is an application or script that is configured to log into the system using an old password. Perhaps the most easily overlooked cause of account lockouts, however, is the use of cached credentials. Before I explain  why cached credentials can be problematic , let's first consider what the Windows cached credentials do and why they are necessary. Cached and stored credentials Cached credentials are a mechanism that is used to ensure that users have a way of logging into their device in the event that the device is unable to access the Active Directory. Suppose for a moment that a user is working from a domain-joined laptop and is connected to the corporate network. In that type of situation, the Active Directory

Fixing the Weakest Link — The Passwords — in Cybersecurity Today

Fixing the Weakest Link — The Passwords — in Cybersecurity Today
March 11, 2021The Hacker News
Password security has long been an issue for businesses and their cybersecurity standards. Account passwords are often the weakest link in the overall security posture for many organizations. Many companies have used Microsoft's default password policies for decades. While these can be customized, businesses often accept the default values for their organization. The Windows default password policy is a good start, but are there security vulnerabilities associated with it? Let's look at the current recommendations from leading cybersecurity authorities and see how they measure up against the Windows default password policy. Windows default password policy settings Many, if not most, business environments today use Microsoft Active Directory as their identity and access management solution in the enterprise. Active Directory has served organizations in this capacity for decades.  One of the built-in capabilities provided by Microsoft Active Directory Domain Services (ADDS)

The Top Free Tools for Sysadmins in 2021

The Top Free Tools for Sysadmins in 2021
February 25, 2021The Hacker News
It's no secret that sysadmins have plenty on their plates. Managing, troubleshooting, and updating software or hardware is a tedious task. Additionally, admins must grapple with complex webs of permissions and security. This can quickly become overwhelming without the right tools. If you're a sysadmin seeking to simplify your workflows, you're in luck. We've gathered some excellent software picks to help tackle different duties more efficiently.  Thankfully, these free tools are also respectful of tight budgets—without sacrificing core functionality. Best for Permissions Management: SolarWinds Permissions Analyzer for Active Directory Whether you are part of an organization with many members or numerous resources, keeping track of permissions can be challenging. Changes in responsibilities, titles, or even employment statuses can influence one's access to proprietary data. Each user has unique privileges. We not only need to visualize these but manage them on

Poor Password Security Led to Recent Water Treatment Facility Hack

Poor Password Security Led to Recent Water Treatment Facility Hack
February 11, 2021Ravie Lakshmanan
New details have emerged about the remote computer intrusion at a Florida water treatment facility last Friday, highlighting a lack of adequate security measures needed to bulletproof critical infrastructure environments. The breach involved an  unsuccessful attempt  on the part of an adversary to increase sodium hydroxide dosage in the water supply to dangerous levels by remotely accessing the SCADA system at the water treatment plant. The system's plant operator, who spotted the intrusion, quickly took steps to reverse the command, leading to minimal impact. Now, according to an  advisory  published on Wednesday by the state of Massachusetts, unidentified cyber actors accessed the supervisory control and data acquisition (SCADA) system via TeamViewer software installed on one of the plant's several computers that were connected to the control system. Not only were these computers running 32-bit versions of the Windows 7 operating system, but the machines also shared the

How to Audit Password Changes in Active Directory

How to Audit Password Changes in Active Directory
February 04, 2021The Hacker News
Today's admins certainly have plenty on their plates, and boosting ecosystem security remains a top priority. On-premises, and especially remote, accounts are gateways for accessing critical information. Password management makes this possible. After all, authentication should ensure that a user is whom they claim to be. This initial layer of security is crucial for protecting one's entire infrastructure. Unfortunately, the personal nature of passwords has its shortcomings. Passwords are easily forgotten. They may also be too simplistic; many companies don't enforce stringent password-creation requirements. This is where the Active Directory Password Policy comes in. Additionally, the following is achievable: Changing user passwords Recording password changes and storing them within a history log Active Directory accounts for any impactful changes across user accounts. We'll assess why and how administrators might leverage these core features. Why change user

Using the Manager Attribute in Active Directory (AD) for Password Resets

Using the Manager Attribute in Active Directory (AD) for Password Resets
January 27, 2021The Hacker News
Creating workflows around verifying password resets can be challenging for organizations, especially since many have shifted work due to the COVID-19 global pandemic. With the numbers of cyberattacks against businesses exploding and compromised credentials often being the culprit, companies have to bolster security around resetting passwords on user accounts. How can organizations bolster the security of password resets for remote workers? One security workflow might involve having manager approval before IT helpdesk technicians can change a remote worker's password. In this way, the user's manager is involved in the process. Additionally, some organizations might opt to allow managers themselves the ability to change end-user passwords. How can this be configured in Active Directory? Also, is there a more seamless solution for requiring manager approval for password resets? Why password reset security is critical This past year has undoubtedly created many IT helpdesk st

How Does Your AD Password Policy Compare to NIST's Password Recommendations?

How Does Your AD Password Policy Compare to NIST's Password Recommendations?
January 07, 2021The Hacker News
End-user passwords are one of the weakest components of your overall security protocols. Most users tend to reuse passwords across work and personal accounts. They may also choose relatively weak passwords that satisfy company password policies but can be easily guessed or brute-forced. Your users may also inadvertently use  breached passwords  for their corporate account password. The  National Institute of Standards and Technology (NIST)  has a cybersecurity framework that helps organizations address common cybersecurity pitfalls in their environment, including weak, reused, and breached passwords. This post will take a closer look at the NIST password guidelines and see how you can effectively audit your password policies to ensure these meet the standards recommended by NIST. NIST Password Guidelines and Best Practices Specific guidance around passwords is addressed within the chapter titled  Memorized Secret Verifiers . NIST has several recommendations in regards to passwords
Online Courses and Software

Sign up for cybersecurity newsletter and get latest news updates delivered straight to your inbox daily.