Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Corporate Passwords Part 1

With the vast amount of research and content that was done by SpiderLabs for the Global Security Report, it made it impractical to include all of the content that was written for this year's password study. But instead of letting that research go to waste, myself (Garret Picchioni) and Barrett Weisshaar are going to be offering the unabridged edition of the password study in a series of blog posts in hopes that someone can find the research interesting and valuable to their organization…or at the very least some good bathroom reading material.

This month, we look at part 1 of the study. In order to better understand the choices users make in passwords, we must first acknowledge that many times passwords are entirely unnecessary. A poorly designed application with an excellent password is still a poorly designed application.


Password choice continues to be an important facet of security that cannot be discounted, and is often overlooked. A perfectly otherwise secure application can be brought down by a single poor password choice, no matter the best efforts of the developer. They can be dressed up, accompanied by additional factors, chained by constraints and minimums, but the base principles of passwords are still essentially intact.

In this year's study, we build off of the lessons of last year and return with afresh set of expanded data. For those of you that read last year's report, our process will seem quite familiar. However, as with any effort we've continually improved with both our data set (in both efficiency and quantity) as well as our analysis.

Before we get to the details, it's important to again look at a few basic tenets of password choices. In some cases, the strongest password choice may not matter due to the weakness of the underlying system, whether it is a cryptographic weakness, exploit, or external factors. Even in mechanisms with solid technological foundations, a variety of human fallibilities contribute to undermine the security of the system as a whole.

Password Weaknesses Unrelated to Password Choice

Bypassing Passwords Entirely

Even users who are the most proactive in ensuring their account safety can often have their accounts compromised by other attack vectors unrelated to their password selection, thus making their complex password irrelevant. The responsibility for preventing an attacker from utilizing these vectors is shared between both the user and an IT Administrator.

If a user's machine is vulnerable to system exploits as a result of missing critical operating system patches, it enables an attacker to utilize that avenue to compromise a system and completely bypass the need for a valid user account. An ever-present example is still the MS08-067 SMB vulnerability for Microsoft Windows 2000, XP/Server2003, and Vista/Server 2008. This5-year-old vulnerability that has become trivial to exploit, enables an attacker to compromise a system in matter of seconds without requiring a single user's password.

However, even patched systems can become compromised as a result of 3rd party services being installed on a user's system. This can range from unpatched services such as an Apache Web Server that enables a user to exploit a buffer overflow, or more commonly seen, remote access tools that bypass a user's login credentials or that only require a secondary password. VNC (being a perfect example of this) is a commonly used remote desktop utility but unfortunately presents security problems that can often get overlooked. VNC Free Editions, often installed by the end-user without IT staff knowledge utilize separate non-policy passwords stems for console access. VNC will function normally even without the secondary password, making connecting to are mote system by an attacker easy. VNC Free Edition also does not encrypt communications between the client and server making a user's machine susceptible to Man in the Middle style attacks that can capture a VNC password, if one is even set.

Weakness of Cryptographic Methods

Other factors that can contribute to an account compromise deal with the cryptographic algorithm used to encrypt a password. If a weakness exists in the algorithm, that's what's taken advantage of in an attempt to crack as password as opposed to resorting to attacks on the password itself.

An extremely common example of this is the use of LAN Manager (LM) Hashes to store Windows passwords. LM Hashing is considered to be a legacy hashing algorithm but is still in use in many environments today. It was used as the primary hashing algorithm for pre-Windows NT systems and carried over and enabled by default in later versions of Windows in order to maintain legacy support. LM Hashes can be cracked with rainbow tables (files containing pre-computed mathematical functions for quickly solving cryptographic hashes) in a matter of minutes because of the way the hash is designed. When an LM hash is created the user's plain-text password is converted to all uppercase characters followed by null-padding the password up to 14-bytes. This "fixed-length" password in actuality is two 7-byte DES encrypted hashes. Thus, when cracking, instead of needing to crack the entire password, an attacker can crack each half individually then merge the two results together.

Microsoft finally disabled LM hashing by default starting with Windows Vista and Server2008 but is still commonly seen in Windows XP/2003 implementations. The one saving grace in places were LM hashing is enabled is that an LM hash has a 14 character limitation. If a user's password is over 14 characters, Windows will not hash the password with LM and only hash using NTLM. Other examples where attacking the cryptographic weakness is better than attacking the actual password itself is for WEP enabled wireless networks.

That's enough for now – until next time, when your developer says they have their own custom written "proprietary" encryption algorithm, or your sysadmin says they need VNC open on the external perimeter, make sure to flip a few tables and call them on it. If it weren't for them, it's less likely we'd be having a chuckle at your password where you spelled your pet's name backwards and added a "1".

-Garret & Barrett

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More