Poor Credential Hygiene
This article is part of a series where we look at a recent NSA/CISA Joint Cybersecurity Advisory on the top cybersecurity issues identified during red/blue team exercises operated by these organizations. In this article, you will find a more in-depth look at the specific issue, with real-world scenarios where it is applicable, as well as mitigation strategies that can be adopted to limit or overcome it. This expands on the information provided by the NSA/CISA report.
The importance of credential hygiene, encompassing passwords, usernames, and other forms of authentication, helps achieve a robust cybersecurity posture. Despite its role, insufficient credential hygiene remains a significant vulnerability, leading to severe security breaches and data loss. This article explores the risks associated with poor credential hygiene and outlines best practices for maintaining secure credentials.
Understanding Credential Hygiene and Its Importance
Credential hygiene encompasses practices for securing authentication data, including the creation, storage, and management of passwords. Weak or reused passwords, failing to update credentials, and inadequate system-side security measures like encryption can expose organizations to risks such as unauthorized access, network infiltration, and reputational damage.
The full scope of credential hygiene also covers system-side considerations like encryption levels and storage methods. Relying on cleartext (or reversible) storage of credentials or cleartext transmission of credentials between systems are also tell-tale signs of poor credential hygiene.
Real-World Consequences of Poor Credential Hygiene
Poor credential hygiene has been central to many high-profile breaches. Attackers exploiting weak credentials can escalate privileges or move laterally within networks, leading to data exfiltration and operational disruptions.
On the flipside, the mismanagement of credentials, like requiring overly complex credentials or too frequent changes can also result in user dissatisfaction and insecure practices, such as writing passwords on post-it notes or creating predictable patterns when generating new ones.
Storing passwords in cleartext or in an easily crackable form is extremely risky. The large number of stolen and distributed passwords only makes this problem more visible.
Best Practices for Enhancing Credential Hygiene
- Strong and Unique Passphrases: Passphrases, easier to remember and often more secure, should include a mix of characters, numbers, and symbols.
- Avoid Reusing Passwords: Unique passwords for each account mitigate the risk of multiple account compromises from a single breach.
- Use of Password Managers: These tools alleviate the burden of remembering multiple passwords and enhance security.
- Regular Password Changes: Regular updates are crucial, though excessive changes can be counterproductive. According to Packetlabs, frequent mandatory changes may lead users to create weaker passwords or predictable patterns.
- Implement Multi Factor Authentication (MFA): MFA significantly enhances security. Google reported that adding a mobile phone for verification blocked up to 100% of automated bots, 66% of targeted attacks, and 99% of bulk phishing attacks
- Educate on Cybersecurity Awareness: Training in best practices, including the risks of phishing and secure password creation, is essential for improving credential hygiene.
- Audit Credential Security: Disallow storage of cleartext or easily attackable credentials in any system. Keep credential storage systems secure and thoroughly patched.
Final Thoughts
Maintaining strong credential hygiene is a vital component of an organization’s cybersecurity strategy. Adopting practices like using strong, unique passwords, utilizing password managers, and implementing MFA can substantially reduce the risk of cyberattacks and protect sensitive data.
Always consider that adequate credential hygiene can only be achieved when the users understand its importance. Mandatory requirements that exploit complexity to the extreme or impose changes too frequently are just as problematic as the opposite, but will hurt the user’s perception more.