In today's world, ensuring the security of our accounts is more crucial than ever. Just as keys protect the doors to our homes, passwords serve as the first line of defense for our data and assets. It's easy to assume that technical individuals, such as developers and IT professionals, always use strong, unique passwords to keep their accounts secure.

However, this is not always the case; for example, in certain situations like setting up temporary test accounts, even tech-savvy individuals may opt for weak passwords that can be easily cracked or guessed. This false sense of security can expose systems and users to potential cyber threats. It underscores the necessity of using strong, unique passwords across all accounts, regardless of their perceived importance. By prioritizing password security and adopting best practices, we can effectively protect our digital assets from unauthorized access and cyber-attacks.

In this article, we will present a real-world case study of a vulnerability discovered during a recent test and explain why taking care of your password is still crucial in 2023. Additionally, we will provide some practical tips for administrators on how to identify easily guessable passwords in their databases.

During the configuration analysis of MSSQL server the day before its public release, it was found that three users in the database used the same username as their password. This is a well-known practice, especially for new services, where some crawlers and gray/black hat attackers, instead of performing a barrage of attacks, simply attempt to log in using default or easy-to-guess login-password pairs to gain authorized access to data. The most commonly known pairs are certainly admin:admin or test:test, but the process can be more complex. Attackers may try to enumerate usernames, and then there are two simple (without exploiting any vulnerabilities) ways to gain an account in the application: brute-force or password guessing.

The brute-force method could be more effective, but it might face several issues: after entering the wrong password a few times, the account can be blocked, implemented rate limiting can make it difficult to perform, a Web Application Firewall (WAF) can detect this kind of action and block the attacker's IP, and ultimately, brute-force attacks will be highly visible in logs. To avoid these problems, attackers can make just a few guesses for each user, and one of them (in most cases) will be the same username and password. It's important to note that this would be limited by the password policy, but keep in mind that during the development phase, there may not be a password policy in place.

To find this kind of vulnerability in MSSQL, you can execute the following query: "SELECT name FROM sys.sql_logins WHERE PWDCOMPARE(name, password_hash) = 1;". Fortunately, the potential impact of this vulnerability was not critical since none of these accounts had administrative permissions. Nonetheless, this situation serves as an important reminder of the risks associated with weak passwords. A simple, easily guessed password can leave your account vulnerable to attacks, potentially leading to unauthorized access and data breaches.

Here are some tips for creating secure passwords, which could also form the basis for your company's password policy:

1. At least 14 characters;

2. Checking if the password does not appear among at least the 10,000 most popular passwords from database leaks and other sources, as well as in publicly available password dictionaries (most commonly used in brute-force attacks);

3. The password should also be unique on a per-user basis, meaning it should not be used by the same user in other places;

4. Avoid using passwords that are easy to guess – they should not contain the company name, username, year, or iterations of consecutive digits.

👉 As an administrator, it is important to regularly check for weak passwords within your databases to maintain a high level of security. One way to identify weak passwords is to use tools or scripts that can analyze password hashes and compare them against known weak or commonly used passwords.

👉 Additionally, implementing a strong password policy that enforces complexity requirements and regular password changes can help prevent the use of weak passwords in the first place.

👉 In conclusion, it is vital for both individuals and organizations to recognize the importance of password security and adopt best practices to protect their digital assets. By doing so, we can mitigate risks associated with weak passwords and create a more secure environment in the ever-evolving digital landscape.


#CyberSecurity #PenetrationTesting #Pentest #PasswordSecurity #WeakPasswordPractices #BestPasswordPractices