Password Defense and Multi-Factor Authentication

Password Defense and Multi-Factor Authentication (MFA) – A Complete Guide for GIAC GCIH

Why Password Defense and MFA Matter

Passwords remain one of the most common attack vectors in cybersecurity. Weak, reused, or stolen credentials are responsible for the vast majority of data breaches. According to industry reports, over 80% of hacking-related breaches involve compromised credentials. Understanding password defense mechanisms and multi-factor authentication (MFA) is therefore critical not only for the GIAC GCIH exam but also for real-world incident handling and response.

As a GCIH candidate, you are expected to understand how attackers exploit weak password practices and how defenders can implement layered controls—including MFA—to significantly reduce the risk of unauthorized access.

What Is Password Defense?

Password defense refers to the collection of policies, technologies, and best practices designed to protect authentication credentials from being compromised. It encompasses:

• Password Policies: Rules governing password complexity, length, expiration, and reuse. Modern guidance from NIST (SP 800-63B) recommends longer passphrases over complex but short passwords, and discourages forced periodic password changes unless a compromise is suspected.

• Password Storage: Secure storage of passwords using salted, adaptive hashing algorithms such as bcrypt, scrypt, or Argon2. Older algorithms like MD5 and SHA-1 (unsalted) are considered insecure.

• Account Lockout and Throttling: Mechanisms that lock accounts or introduce delays after a certain number of failed login attempts, mitigating brute-force and password spraying attacks.

• Password Managers: Tools that generate and store unique, complex passwords for each service, reducing credential reuse.

• Credential Monitoring: Services that check if user credentials have appeared in known data breaches (e.g., Have I Been Pwned integration).

• Salting and Hashing: A salt is a random value appended to a password before hashing. This ensures that even identical passwords produce different hash values, defeating precomputed attacks like rainbow tables.

What Is Multi-Factor Authentication (MFA)?

MFA requires a user to present two or more independent authentication factors before gaining access. The three classical factor categories are:

1. Something You Know – A password, PIN, or passphrase.
2. Something You Have – A physical token, smart card, mobile device, or hardware security key (e.g., YubiKey, FIDO2 key).
3. Something You Are – A biometric characteristic such as a fingerprint, facial recognition, or iris scan.

Some frameworks also recognize additional factors:
• Somewhere You Are – Geolocation-based authentication.
• Something You Do – Behavioral biometrics such as typing patterns.

Important distinction: Using two passwords is not MFA—it is merely two instances of the same factor. True MFA requires factors from different categories.

How Password Defense Works in Practice

1. At Rest (Storage): When a user creates a password, the system generates a random salt, concatenates it with the password, and passes it through an adaptive hashing function (e.g., bcrypt with a work factor of 12+). The salt and resulting hash are stored in the authentication database. The plaintext password is never stored.

2. At Login (Verification): The user submits their password. The system retrieves the stored salt, applies the same hashing function, and compares the result to the stored hash. If they match, authentication proceeds.

3. Account Lockout: After a configurable number of failed attempts (e.g., 5), the account is locked for a defined period or until an administrator intervenes. Progressive delays (throttling) can also be applied to slow automated attacks.

4. Password Spraying Defense: Since password spraying tries one password against many accounts (avoiding per-account lockout), defenders should monitor for distributed failed login patterns, implement CAPTCHA challenges, and use IP-based rate limiting.

How MFA Works in Practice

1. TOTP (Time-Based One-Time Password): Applications like Google Authenticator or Microsoft Authenticator generate a six-digit code that changes every 30 seconds, based on a shared secret and the current time. The server independently calculates the expected code and compares it.

2. Push Notifications: The authentication server sends a push notification to the user's registered device. The user approves or denies the request. Caution: This method is vulnerable to MFA fatigue attacks (also called prompt bombing), where attackers repeatedly send push requests hoping the user will approve one out of frustration.

3. Hardware Tokens (FIDO2/WebAuthn): Considered the gold standard. A hardware key generates a cryptographic challenge-response that is phishing-resistant because the key is bound to the specific origin (website domain).

4. SMS-Based OTP: A one-time code sent via text message. While better than no MFA, SMS is considered the weakest MFA method due to vulnerabilities like SIM swapping, SS7 interception, and social engineering of mobile carriers.

5. Smart Cards / Certificates: A physical card containing a digital certificate is used in combination with a PIN. Common in government and military environments (e.g., CAC/PIV cards).

Common Attacks Against Passwords and MFA

• Brute Force: Trying all possible password combinations. Mitigated by length requirements, account lockout, and adaptive hashing.
• Dictionary Attacks: Using lists of common passwords. Mitigated by complexity requirements and breach-checking.
• Password Spraying: Trying a small set of common passwords against many accounts. Mitigated by monitoring, lockout policies, and MFA.
• Credential Stuffing: Using credentials leaked from one breach against other services. Mitigated by unique passwords and MFA.
• Rainbow Table Attacks: Using precomputed hash-to-password tables. Mitigated by salting.
• Pass-the-Hash: Using captured NTLM hashes to authenticate without knowing the plaintext password. Mitigated by using Kerberos, restricting NTLM, and implementing Credential Guard.
• Phishing: Tricking users into entering credentials on fake sites. MFA (especially FIDO2) significantly mitigates this.
• MFA Fatigue / Prompt Bombing: Sending repeated MFA push notifications. Mitigated by number-matching prompts, limiting push attempts, and alerting on anomalous patterns.
• SIM Swapping: Taking over a victim's phone number to intercept SMS OTPs. Mitigated by avoiding SMS-based MFA and using app-based or hardware tokens.
• Adversary-in-the-Middle (AiTM) Attacks: Proxying authentication sessions to capture both passwords and MFA tokens in real time (e.g., using Evilginx2). Mitigated by FIDO2 keys which are origin-bound and phishing-resistant.

Key Defensive Recommendations

• Enforce a minimum password length of 12-16 characters; favor passphrases.
• Do not require periodic password changes unless compromise is suspected (per NIST 800-63B).
• Use salted adaptive hashing (bcrypt, scrypt, Argon2) for password storage.
• Implement MFA for all users, especially privileged accounts.
• Prefer phishing-resistant MFA (FIDO2/WebAuthn) over SMS or basic push.
• Monitor for credential stuffing and password spraying patterns.
• Integrate breach-checking into password creation workflows.
• Implement account lockout with progressive delays.
• Use Privileged Access Management (PAM) solutions for administrative accounts.
• Educate users on recognizing phishing and MFA fatigue attacks.

NIST SP 800-63B Key Takeaways for the Exam

• Minimum 8 characters required; NIST recommends supporting up to 64 characters.
• No composition rules (e.g., requiring uppercase + special characters) are mandated.
• No mandatory periodic password rotation.
• Passwords should be checked against known compromised password lists.
• SMS OTP is permitted but recognized as a restricted (less secure) authenticator.

---

Exam Tips: Answering Questions on Password Defense and Multi-Factor Authentication

1. Know the three authentication factor categories cold. Exam questions frequently test whether you can identify true MFA versus single-factor with multiple steps. Remember: a password + a security question = still only one factor (something you know + something you know).

2. Understand the hierarchy of MFA methods. From weakest to strongest: SMS OTP → Email OTP → TOTP App → Push Notification → Smart Card → FIDO2 Hardware Key. If a question asks for the most secure or phishing-resistant option, choose FIDO2/WebAuthn.

3. Recognize attack-to-defense mappings. Many GCIH questions present an attack scenario and ask for the best mitigation. For example:
- Rainbow table attack → Answer: Salting
- Password spraying → Answer: MFA + monitoring + smart lockout
- MFA fatigue → Answer: Number matching + limiting push attempts
- SIM swapping → Answer: Use non-SMS MFA
- Credential stuffing → Answer: MFA + unique passwords + breach checking

4. Pay attention to NIST guidance. If a question references best practices or modern recommendations and one answer says "require password changes every 90 days" while another says "check passwords against known breach databases," choose the breach-checking option—it aligns with current NIST 800-63B guidance.

5. Understand salting vs. hashing. Hashing alone is not sufficient. A salt is a random value unique to each user that prevents two users with the same password from having the same hash. This defeats rainbow tables and precomputation attacks. Know that the salt does not need to be secret—it is stored alongside the hash.

6. Know the difference between adaptive and non-adaptive hashing. MD5, SHA-1, and SHA-256 are fast general-purpose hashes—bad for password storage because they can be brute-forced quickly. bcrypt, scrypt, and Argon2 are adaptive (intentionally slow, with configurable work factors)—good for passwords.

7. Watch for Pass-the-Hash scenarios. If a question describes an attacker using an NTLM hash without cracking the password, identify it as a pass-the-hash attack. Know that MFA at the network level, Credential Guard, and restricting NTLM authentication are appropriate mitigations.

8. Be precise with terminology. Two-factor authentication (2FA) is a subset of MFA. All 2FA is MFA, but MFA can involve more than two factors. If a question asks specifically about 2FA, it means exactly two factors.

9. Scenario-based questions: When presented with an incident scenario involving compromised credentials, think through the kill chain. The question may ask what control would have prevented the attack or what the best next step is. MFA is almost always the answer for preventing credential-based initial access.

10. Eliminate wrong answers strategically. If you see an option suggesting "encrypt passwords" for storage, that is typically wrong—passwords should be hashed, not encrypted (encryption is reversible; hashing is not). Similarly, if an option suggests "use SHA-256 without salt," it is inferior to "use bcrypt with salt."

11. Remember MFA bypass techniques for incident handling questions. As an incident handler, you should know that MFA can be bypassed via token theft, session hijacking, AiTM proxies, and social engineering. Questions may test your ability to identify these bypass methods and recommend appropriate countermeasures.

12. Time management: Password defense and MFA questions are typically straightforward if you know the concepts. Don't overthink them. Identify the factor categories, match attacks to defenses, and apply NIST-aligned best practices. Move on quickly to save time for more complex scenario questions.