On a recent network penetration test our password catcher software sniffed out a service account logging in and caught its credentials. The hashed password we retrieved was nine characters long. With our homemade password cracking device (which has “only” four GPUs) we were able to recover the password in under four hours. At that point, we had full access to the client’s network.
Service accounts for backup services, Citrix services, and other critical systems are ubiquitous in modern IT environments. Depending on their function, these special accounts might well have domain-level access privileges comparable to a system administrator. This makes them a prime attack vector during network breaches.
Are the passwords for all your service accounts in line with current password strength and complexity guidelines for sysadmins? Or were they configured four or five years ago and not changed since? How long would it take a black-hat hacker to crack one if he or she managed to grab it? An eight-character hashed password that was considered secure a few years ago can easily be decrypted in under two hours today.
Unlike typical user accounts, service account passwords are often set to never expire. Some services run across multiple servers and use multiple service accounts. It can be a time-consuming pain to change these various passwords and identify all the places where those credentials are used, and critical applications can stop working if passwords get mixed up. No wonder service account passwords frequently go unchanged for years.
But to avoid a scenario like I just described, it’s important to routinely (e.g., annually or every two years, and/or anytime you upgrade the associated software) evaluate your service account passwords and increase their length and complexity as needed based on how hacking technology has progressed. The longer and more complex you can make them, the better—then you probably won’t need to revisit them as often.
To get expert help identifying InfoSec risks in your environment and developing practical approaches to address them, contact Pivot Point Security.
For more information:
- Obviously, it’s good practice to minimize the number of service accounts in your environment and to restrict their access levels as much as is practical. This post offers tips on identifying all the service accounts in a domain.
- Tips on changing service account passwords automatically using Windows Management Instrumentation (WMI).
This whitepaper explores such vulnerabilities and explains in detail how to avoid them.