Connect with us

Hi, what are you looking for?


Identity & Access

Pass the Hash Remains a Poorly Defended Threat Vector

In 2010, SANS reported that knowledge of the Pass the Hash attack first described some thirteen years earlier was still poor. By 2019, knowledge of the threat vector that has now been in the public domain for more than two decades has improved, but is still not complete.

In 2010, SANS reported that knowledge of the Pass the Hash attack first described some thirteen years earlier was still poor. By 2019, knowledge of the threat vector that has now been in the public domain for more than two decades has improved, but is still not complete.

Password management firm One Identity surveyed (PDF) more than 1,000 qualified individuals with a direct responsibility for security and a knowledge of IAM and privileged access in firms with more than 500 employees. Fifty-three percent of the firms had more than 5,000 employees from a wide range of different industry sectors, while 40% of them are in the U.S. or Canada. The purpose of the survey was to determine current understanding of, and mitigations used for, Pass the Hash attacks. Thirteen percent of the respondents said they had no plans to do anything at all.

A Pass the Hash attack involves stealing the password hash rather than the plaintext password. A typical attack might target a local or remote user’s desktop with malware that would serve two purposes. The first would introduce a problem, such as slowing performance or breaking a commonly used app; the second would have the ability to scrape memory. The first purpose is to persuade the victim that he has a problem that could be fixed by the help desk staff.

With a call logged, the help team is persuaded to log into the user’s computer to fix the problem. This would typically involve using an administrator account. When the administrator logs in, the admin account hash is logged on the computer — and the second function of the malware to scrape this from memory comes into play. The result is that the attacker now has privileged access to the network.

Since there is no technological defense against legitimate access, Pass the Hash must be prevented rather than detected. The One Identity survey sought to understand how companies are preventing the attacks, and “to explore the impact of Pass the Hash attacks.”

Only 26% of respondents believe they have not experienced such an attack; 15% don’t know if they have had an attack; and 4% don’t know what it is. The larger the company, the greater the likelihood of an attack. In companies with more than 5,000 employees, 8% know they have been attacked with a further 18% thinking it probable. With companies between 2,500 and 5,000 employees, the figures are 5% and 14%; and for those with less than 2,500, it is 2% and 10%.

Among those respondents that had experienced an attack, 70% reported a result in increased operational costs, 68% reported staff costs in addressing the issue, and 40% reported a direct financial impact through lost revenue and fines. “The results of our 2019 survey indicate that despite the fact that Pass the Hash attacks are having significant financial and operational impact on organizations, there is vast room for improvement in the steps organizations are taking to address them,” said Darrell Long, VP of product management at One Identity.

Advertisement. Scroll to continue reading.

The key to mitigating Pass the Hash attacks is the issuance of single-use passwords for privileged accounts. In our described scenario, it won’t stop the attackers getting hold of the administrative hash, but the password will have been used and the hash will not work again.

“Another solution,” One Identity evangelist Todd Peterson told SecurityWeek, “would be to use advanced Active Directory practices to use a delegated set of permissions without using administrator credentials.” Microsoft’s recommended solution is to use Red Forest, the common name for its Enhanced Security Administrative Environment (ESAE) offering. This, explained Peterson, “requires an entirely separate Active Directory forest in order to move the desktop that requires work into this forest, where it can remain protected, and then move it back when the fix is complete. It’s a pretty expensive, complex and cumbersome way to do it,” he added, “but it does solve the problem.”

Fifty-five percent of the respondents say they have tackled Pass the Hash by implementing privileged password management (a password vault). Fifty percent say they have implemented advanced Active Directory controls, and 26% say they have implemented Red Forest. Worryingly, perhaps, 13% say they have no plans to combat Pass the Hash. The concern here is that if a firm does nothing to prevent Pass the Hash, there may be no way of knowing whether they are already victims of the attack.

“The key takeaway from this survey,” says Peterson, “is that of all the options, barely more than half of the respondents are doing any one of them, while probably none of them are adequate on their own. The best approach,” he continued, “would be to combine the Active Directory management and a password vault. Or if you choose to go the Red Forest route, augment it with the others. Eighty-seven percent of the respondents are doing something,” he added, “but the financial impact reported shows they are not doing enough.”

Related: Stop Blaming Users and Get Serious About Your IAM Practices 

Related: Privileged Access Management Solutions Are Shifting to the Cloud: Survey 

Related: Many Enterprises Fail to Protect Privileged Credentials 

Related: Don’t Ignore Identity Governance for Privileged Users

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...


The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Security Infrastructure

Security vendor consolidation is picking up steam with good reason. Everyone wants to improve security efficiency and effectiveness while paying for less.