On this episode of the X-Force Red in Action podcast series, we’re tackling a popular subject that many organizations still struggle with: password security. Luckily, we’ve got some expert help from Dustin Heywood, an X-Force Red penetration tester and password cracker who’s also known as Evil Mog.
Passwords Aren’t Going Anywhere — Yet
Experts often talk about getting rid of passwords altogether, but according to Heywood, they’ll “never really go away.” Why not? Because passwords are a cheap method of authentication baked into technical specifications and are almost universally familiar. Heywood also notes they’re “nothing special, just a shared secret like a certificate” — meaning it’s not passwords themselves that make or break corporate security, but how they’re handled.
Avoid the Temptation to Reuse Passwords
In Heywood’s experience, most users opt for the same familiar passwords at home and at work. Sure, they might tack on a number or special character to meet enterprise requirements, but they’re effectively duplicates. To break the bad habit of reusing passwords, he recommends using a reputable password manager to generate unique credentials for every website and store them securely.
If Heywood’s experience is any guide, this advice still needs a signal boost: In one X-Force Red engagement, he discovered —within the initial 10 minutes of setup — that an enterprise network administrator was logging in to privileged accounts using Password1! — yikes.
Implement Proper Authentication Controls
But what happens to password security if password managers aren’t an option? Heywood reiterates his earlier point: It is never safe to reuse passwords. Users have no idea if sites or applications hash passwords or what type of hash is being applied.
He recommends using two-factor authentication (2FA) wherever possible, but suggests taking a pass on unsecure SMS codes in favor of authenticator apps. It’s also a good idea to create long passwords or passphrases that include spaces and avoid character repetition.
Test Your Password Security Regularly
Heywood puts it simply: All enterprises should invest in penetration testing. After all, this type of testing happens every day, but the results can be disastrous if attackers exploit undetected weaknesses.
X-Force Red offers autonomous testing of internal passwords and user databases with a focus on privileged accounts — especially those that are part of infrastructure access and may have never been changed. Using their custom-built Cracken tool, X-Force teams regularly report extremely high success rates in hacking privileged accounts.
The bottom line is that passwords are here to stay despite the challenges of password security. Limiting network risk demands no-repeat policies coupled with secure password managers and regular penetration testing.
If you enjoyed listening, please consider rating the podcast or leaving your feedback on iTunes or wherever you listen.