Password Policies
Set and enforce secure password policies for accounts.
Techniques Addressed by Mitigation
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | 从密码存储中获取凭证 |
The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password. Organizations may consider weighing the risk of storing credentials in password stores and web browsers. If system, software, or web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in improper locations. |
|
| .001 | Keychain |
The password for the user's login keychain can be changed from the user's login password. This increases the complexity for an adversary because they need to know an additional password. |
||
| .003 | Credentials from Web Browsers |
Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers. |
||
| .005 | Password Managers |
Refer to NIST guidelines when creating password policies for master passwords.[1] |
||
| Enterprise | T1550 | 使用备用认证材料 |
Set and enforce secure password policies for accounts. |
|
| .003 | Pass the Ticket |
Ensure that local administrator accounts have complex, unique passwords. |
||
| Enterprise | T1601 | 修改系统镜像 |
Refer to NIST guidelines when creating password policies. [1] |
|
| .001 | Patch System Image |
Refer to NIST guidelines when creating password policies. [1] |
||
| .002 | Downgrade System Image |
Refer to NIST guidelines when creating password policies. [1] |
||
| Enterprise | T1556 | 修改身份验证过程 |
Ensure that |
|
| .005 | Reversible Encryption |
Ensure that |
||
| Enterprise | T1201 | 密码策略发现 |
Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory ( |
|
| Enterprise | T1187 | 强制身份验证 |
Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained. |
|
| Enterprise | T1003 | 操作系统凭证转储 |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
|
| .001 | LSASS Memory |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
||
| .002 | Security Account Manager |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
||
| .003 | NTDS |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
||
| .004 | LSA Secrets |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
||
| .005 | Cached Domain Credentials |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
||
| .006 | DCSync |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
||
| .007 | Proc Filesystem |
Ensure that root accounts have complex, unique passwords across all systems on the network. |
||
| .008 | /etc/passwd and /etc/shadow |
Ensure that root accounts have complex, unique passwords across all systems on the network. |
||
| Enterprise | T1110 | 暴力破解 |
Refer to NIST guidelines when creating password policies.[1] |
|
| .001 | Password Guessing |
Refer to NIST guidelines when creating password policies. [1] |
||
| .002 | Password Cracking |
Refer to NIST guidelines when creating password policies. [1] |
||
| .003 | Password Spraying |
Refer to NIST guidelines when creating password policies. [1] |
||
| .004 | Credential Stuffing |
Refer to NIST guidelines when creating password policies. [1] |
||
| Enterprise | T1078 | 有效账户 |
Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment.[4] When possible, applications that use SSH keys should be updated periodically and properly secured. Policies should minimize (if not eliminate) reuse of passwords between different user accounts, especially employees using the same credentials for personal accounts that may not be defended by enterprise security resources. |
|
| .001 | Default Accounts |
Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. [4] |
||
| .002 | Domain Accounts |
Implement and enforce strong password policies for domain accounts to ensure passwords are complex, unique, and regularly rotated. This reduces the likelihood of password guessing, credential stuffing, and other attack methods that rely on weak or static credentials. |
||
| .003 | Local Accounts |
Ensure that local administrator accounts have complex, unique passwords across all systems on the network. |
||
| .004 | Cloud Accounts |
Ensure that cloud accounts, particularly privileged accounts, have complex, unique passwords across all systems on the network. Passwords and access keys should be rotated regularly. This limits the amount of time credentials can be used to access resources if a credential is compromised without your knowledge. Cloud service providers may track access key age to help audit and identify keys that may need to be rotated.[5] |
||
| Enterprise | T1552 | 未加密凭证 |
Use strong passphrases for private keys to make cracking difficult. Do not store credentials within the Registry. Establish an organizational policy that prohibits password storage in files. |
|
| .001 | Credentials In Files |
Establish an organizational policy that prohibits password storage in files. |
||
| .002 | Credentials in Registry |
Do not store credentials within the Registry. |
||
| .004 | Private Keys |
Use strong passphrases for private keys to make cracking difficult. |
||
| Enterprise | T1558 | 窃取或伪造Kerberos票据 |
Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[6] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[6] |
|
| .002 | Silver Ticket |
Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[6] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[6] |
||
| .003 | Kerberoasting |
Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[6] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[6] |
||
| .004 | AS-REP Roasting |
Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting. [6] |
||
| Enterprise | T1599 | 网络边界桥接 |
Refer to NIST guidelines when creating password policies. [1] |
|
| .001 | Network Address Translation Traversal |
Refer to NIST guidelines when creating password policies. [1] |
||
| Enterprise | T1072 | 软件部署工具 |
Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. |
|
| Enterprise | T1021 | 远程服务 |
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. |
|
| .002 | SMB/Windows Admin Shares |
Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. |
||
| Enterprise | T1563 | 远程服务会话劫持 |
Set and enforce secure password policies for accounts. |
|
| .001 | SSH Hijacking |
Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. |
||
References
- Grassi, P., et al. (2017, December 1). SP 800-63-3, Digital Identity Guidelines. Retrieved January 16, 2019.
- Microsoft. (2021, October 28). Store passwords using reversible encryption. Retrieved January 3, 2022.
- Microsoft. (n.d.). Installing and Registering a Password Filter DLL. Retrieved November 21, 2017.
- US-CERT. (n.d.). Risks of Default Passwords on the Internet. Retrieved April 12, 2019.
- Moncur, Rob. (2020, July 5). New Information in the AWS IAM Console Helps You Follow IAM Best Practices. Retrieved August 4, 2020.
- Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.