Skip to content

Preparing for UEFI bootkits. ESET discovery shows the importance of cyber intelligence

Roman Cuprik

Some threats bypass standard security tools. In such cases, security operators capable of deep analysis are needed. 

Last year, ESET Research confirmed rumors concerning BlackLotus, the first publicly known UEFI bootkit capable of bypassing a UEFI Secure Boot, being sold on underground forums. This means that malware preying upon fundamental weaknesses in the UEFI security model is in-the-wild and experts are expecting more bootkits like BlackLotus in the near future.

“Bootkits are no longer just a threat to legacy systems, but a real threat to the majority of modern UEFI firmware systems,” said ESET Researcher Martin Smolár, who discovered this previously undocumented real-world UEFI bootkit and presented his finding at the 2024 RSA conference.

This threat creates a challenge for businesses: How to take a prevention-first approach and secure their devices against attacks that cannot be fully prevented simply by following the standard recommendations and using default system settings because there are known vulnerabilities that still haven’t been fixed and might never be fixed?

Despite businesses holding the short end of the stick right now, they are not without hope. In fact, these are the situations where cyber intelligence platforms such as ESET Threat Intelligence shine.

Confirmed myth

In a nutshell, UEFI bootkits are serious threats targeting Windows that gain full control over the operating system (OS) boot process. With this level of capability, they can disable various OS security mechanisms and are able to operate very stealthily and with high privileges.

The initial attack vector is unknown, but UEFI bootkit starts with the execution of an installer deploying the bootkit’s files to the EFI  System Partition. This abbreviation stands for Extensible Firmware Interface System Partition, which stores files needed for booting operating systems.

Using this installer, attackers can disable the first two layers of defense: Hypervisor-protected Code Integrity (HVCI) and BitLocker encryption. Then they reboot the host.

After the first reboot, the malware abuses the known vulnerability CVE-2022-21894, allowing attackers to enroll their own Machine Owner Key (MOK). An MOK allows owners of devices running non-Windows OSes to generate keys that sign non-Microsoft components during the boot process, thus allowing only approved OS components and drivers to run. By abusing this boot security feature, attackers achieve persistence.

The computer now thinks that the system is booted using trusted software, which means that attackers have bypassed another layer of protection, UEFI Secure Boot, and the machine is then again rebooted.

In the next stages, the self-signed UEFI bootkit is executed and deploys the kernel driver, having access to the Kernel, a computer program at the core of a computer’s operating system, which generally has complete control over everything in the system. It also deploys a user-mode HTTP downloader responsible for communication with the C&C. The abused device can now receive and execute commands from C&C and download additional user-mode or kernel-mode payloads.

Businesses are not powerless

Looking at this cascade for the hijacking of a compromised computer, and knowing that there is no effective fix for older devices due to their outdated security mechanisms, one may feel as if their hands are tied.

But businesses can protect themselves and apply a prevention-first approach even in these cases.

  • First of all, businesses need to keep their system and security products up to date, decreasing options for attackers.
  • IT staff should learn possible risks and procedures concerning how to decrease them. Microsoft released a threat description and a guidance for investigating UEFI attacks.
  • If needed, set up a custom secure boot policy. This, however, requires an experienced admin and is manageable only with a handful of devices due to its complexity.
  • Deploy reliable monitoring solutions and configure their integrity-scanning tools to monitor the composition of the EFI boot partition.
  • Block any attempts of modifying all or specific files on EFI System partition by untrusted processes to prevent bootkits installation.
  • Track developments with UEFI malware across Threat Intelligence platforms and resources.

ESET solutions such as ESET Enterprise Inspector and ESET UEFI Scanner, which is part of the ESET Host-based Intrusion Prevention System (HIPS), can detect signs that something suspicious is happening with a device and alert IT admins. While ESET UEFI Scanner checks and enforces the security of the pre-boot environment, HIPS combines advanced behavioral analysis with the detection capabilities of network filtering to monitor running processes, files, and registry keys.

For more information, check the RSA presentation by ESET Researcher Martin Smolár, via the ESET research podcast, and the NSA BlackLotus Mitigation Guide.

Be one step ahead of threat actors

Since the discovery of the in-the-wild UEFI bootkit, Microsoft has released several patches, and experts across the world provided some guidance. But how to protect a business from the start, before all of this can happen?

To identify such new threats and customize their solutions to deal with them, global leaders in cybersecurity such as ESET invest a lot in research. ESET Threat Intelligence turns this effort into a service, providing businesses with curated global knowledge about threat actors’ activities, gathered by ESET analysts and experts.

Thanks to ESET Threat Intelligence, security engineers, analysts, or incident responders can learn about new threats ASAP, anticipating them and making better, faster decisions. This allows them to deploy a proactive defense, customize their security, and fight increasingly sophisticated cyberattacks.

Moreover, ESET APT Reports give businesses access to private, in-depth technical analysis together with threat mitigation tips. Every user with the APT Reports PREMIUM package will also have access to an ESET analyst for up to four hours each month. This provides the opportunity to discuss topics in greater detail and help resolve any outstanding issues.

Facing a challenge

UEFI Bootkits represent a challenge that is hard to tackle, however that is why it is so important for businesses and enterprises to have reliable cyber intelligence.

With a globally distributed network of security centers, ESET research labs never sleep and have immediate access to threat intelligence like no one else, thanks to the number and distribution of devices protected around the world. Combined with more than three decades of experience in cybersecurity research and product development, ESET can provide businesses with vital intel and use this knowledge to continuously innovate threat-defense techniques.    

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET
For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.

How ROCKEN fortified its growing network against cyber-attacks for better data protection

ROCKEN, based in Zurich, Switzerland, operates in the recruiting sector, offering a unique blend of consulting and recruiting services. Their office boasts a dynamic team of recruiters, consultants, and business account managers dedicated to bridging the gap between companies and candidates. 

The company’s edge is its extensive database, housing detailed candidate profiles enriched with personal interviews, experiences, and expectations. This database, coupled with their custom CRM crafted by their dedicated outstaff development team, stands as their cornerstone, offering a nuanced understanding of each candidate’s profile.

The extensive database, containing candidates and employer information, is the apple of the eye that needs to be protected sufficiently. Julia Zaliznytska, Product Manager and a bridge between business and development, shares why using security services like NordLayer in ROCKEN’s line of work was critical.

The challenge

On a lookout for stronger protection measures

Key pain points

With business expansion plans and team growth, safeguarding ROCKEN’s expanding database became paramount as the company faced a dual challenge.

“We are working for the Swiss market at the moment, and we are extending to Germany this year, and we will have even more data that needs to be protected.”

Click to tweet

First, they had to protect vast amounts of sensitive data, including candidates’ personal information and client companies’ corporate data, against increasingly sophisticated cyber threats such as DDoS attacks.

“With DDoS attacks as a threat and users leaving loads of personal data on the platform, we wanted to provide better protection than just relying on passwords.”

Click to tweet

The team also has gated content on their website, including market overviews and research that is not for free and, thus, must be secured from unverified access.

Second, ROCKEN had to accommodate its hybrid work model with employees and developers working remotely across Switzerland, Germany, Ukraine, and Estonia. For a company with all infrastructure in the cloud, it’s essential to have secure remote access to the internal systems from any location.

Some employees are fully remote, while locals must visit the office three time a week. For this reason, the company needed a unified approach connecting to the company network that is robust against cyber threats.

The solution

Sustainable scalability and protection against threats

Main criteria choosing the solution

After the launch, the company was small and didn’t have much data to protect—securing IP addresses on their own CRM was sufficient initially.

As ROCKEN grew rapidly from 30 to 91 employees, they sought a reliable solution that scales together without compromising security. The solution had to seamlessly integrate for remote and office-based employees alike, ensuring data protection across all touchpoints.

Besides exponential growth, the main triggering factor for enhanced security was a reminder of constant online threats. An identified DDoS attack didn’t do any tangible damage to the company but sent a message that the risk is always there.

“Once, we have experienced a DDoS attack. Whether it was an attacker or rivals testing our protection levels, the attack didn’t result in a data breach but reminded us that we are hunted.”

Click to tweet

A more complex and robust solution than passwords and authentication apps was needed to protect the company network. After a thorough market comparison, ROCKEN chose NordLayer for its comprehensive corporate VPN solutions.

Why choose NordLayer

Several factors influenced ROCKEN’s decision to partner with NordLayer. Primarily, it was necessary to ensure more complex and layered security solutions in place. Then, it had to be ensured that all connections are encrypted and authenticated.

“The access is secured only for those who already have access inside our organization once on-site and through the VPN once remote. Developers use VPN to connect to the production and staging systems.”

Click to tweet

Notably, team members’ personal positive experiences with NordVPN influenced the decision. Moreover, the responsive and accommodating nature of NordLayer’s customer support and the platform’s cost-effectiveness, especially with the provided growth-supportive discount, have been significant factors in choosing the tool.

“We compared many services, but the majority lacked corporate solutions that are centralized in management and payments. NordLayer offered an all-in-one platform with bulk organization control and setup.”

Click to tweet

NordLayer’s reputation for reliability and its ability to offer a scalable, secure solution for a growing company like ROCKEN were decisive.

How NordLayer prevents threats and secures company network

How NordLayer prevents threats and secures company network

The outcome

Easy implementation of a reliable tool

The benefits of implementing NordLayer

The implementation of NordLayer was smooth and swift, taking just a week to onboard the entire organization, thanks to the clear instructions and support provided.

Despite initial hiccups with corporate laptop setups, the transition to NordLayer was well-received across the organization.

“There were absolutely no issues with NordLayer. Because we have corporate laptops that a third-party organization manages, devices weren’t prepped in advance for all users; thus, whole organization onboarding took up to a week.”

Click to tweet

The VPN’s no-logs policy and the ability to manage teams and users through a simple portal were particularly appreciated, ensuring ROCKEN’s operations remained secure without sacrificing efficiency.

Pro cybersecurity tips

It’s a good idea to use post-it notes for everyday cybersecurity tips as a reminder, but not passwords. This and many other tips come from our case study heroes. This time, we asked Julia Zaliznytska, a Product Manager at ROCKEN, to share her favorite habits for practicing cybersecurity hygiene.

ROCKEN about NordLayer

Rocken’s partnership with NordLayer underscores the critical importance of robust cybersecurity measures in today’s digital landscape, especially for companies dealing with sensitive data.

Through strategic planning, careful vendor selection, and a focus on scalability and security, ROCKEN has successfully fortified its defenses, ensuring the confidentiality and integrity of its data as it continues to grow and expand into new markets.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Understanding the Relationship Between Unified Access and Zero Trust

In the complex and ever-evolving world of cybersecurity, protecting an organization’s digital assets against breaches requires more than just traditional perimeter defenses. With cyber threats becoming more sophisticated, a dynamic and holistic approach is needed. Enter the concept of Zero Trust Access Control, a strategic initiative that helps organizations prevent unauthorized access, contain breaches, and reduce the risk of data loss by assuming that threats could be both external and internal. This blog post delves into how Unified Access and Zero Trust work hand in hand to provide a robust security framework, particularly addressing the needs of Chief Information Security Officers who are at the forefront of minimizing cybersecurity risks and optimizing the cybersecurity budget, all while ensuring compliance and adapting to new threats.

Decoding Zero Trust Access Control

Zero Trust Access Control represents a significant departure from conventional security paradigms, which traditionally placed implicit trust within the network perimeter. The Zero Trust model embodies a comprehensive and preemptive approach to security, predicated on the foundational principle of “never trust, always verify.” In this framework, each request for access is treated with skepticism, irrespective of its origin, and must undergo rigorous verification before access is granted. This necessitates a continuous evaluation process, wherein a user’s credentials and the context of their request are meticulously examined to ensure they align with the access level they are seeking. The implementation of Zero Trust hinges on this granular scrutiny and validation, aiming to significantly narrow the opportunities for unauthorized access and mitigate potential breaches. 

Central to achieving Zero Trust’s objectives is the ability to authenticate and authorize every access request with precision. This model demands a dynamic and flexible security posture, capable of adjusting to the constantly evolving threat landscape and the changing contexts of access requests. By adopting a Zero Trust approach, organizations embark on a strategic transformation of their security architecture, moving away from the outdated assumption of implicit trust within their networks. Instead, they cultivate an environment where security decisions are made on a case-by-case basis, leveraging real-time data and comprehensive validation processes. This shift not only enhances the overall security framework but also propels organizations towards a more proactive and resilient cybersecurity stance.

The Role of Unified Access in Facilitating Zero Trust

Unified Access is integral to the deployment and efficacy of a Zero Trust security model, serving as the architectural backbone that supports and enhances its principles. By offering a unified and integrated platform for access control, it simplifies the orchestration of security policies across an organization’s entire digital ecosystem, from cloud services and on-premises applications to mobile and IoT devices. This holistic approach is essential for enforcing the granular access controls and real-time security assessments required by Zero Trust, ensuring that only authenticated and authorized entities can interact with sensitive resources under strict compliance with the policy of least privilege.

Furthermore, Unified Access facilitates the seamless application of dynamic security policies that can adapt to the contextual variables of each access request, such as user location, device health, and the sensitivity of the accessed data. This adaptability is crucial for maintaining a robust defense against the rapidly evolving threat landscape and the increasing sophistication of cyber attacks. By leveraging the centralized visibility and control provided by Unified Access, organizations can more effectively monitor and manage access events, detect anomalies, and respond to potential security threats in real-time.

In essence, Unified Access not only simplifies the practical implementation of the Zero Trust model but also amplifies its effectiveness. It enables a more agile and responsive security posture that aligns with the dynamic nature of modern digital environments and the pervasive challenges they face. Through its integral role, Unified Access ensures that the principles of Zero Trust can be consistently and effectively applied across the breadth of an organization’s operations, providing a foundation for a more secure and resilient digital infrastructure.

Enforcing Least Privilege Across Every Access Point

The foundational element shared by Unified Access and Zero Trust frameworks is the meticulous enforcement of the least privilege principle. This doctrine is pivotal, restricting access rights for users to the bare minimum necessary for the completion of their tasks. By adopting this approach, organizations effectively create a stringent barrier against unauthorized access, significantly diminishing the avenues through which attackers can infiltrate or escalate their privileges within a network.

Implementing least privilege across every access point necessitates a nuanced understanding of user roles, the data they require access to, and the conditions under which access is granted. It involves a dynamic assessment of access needs, continuously adjusting permissions in line with changing job responsibilities, ensuring that access rights remain tightly aligned with actual requirements.

This process is facilitated by sophisticated identity security solutions, which enable precise control over access permissions. Through mechanisms like contextual authentication, these solutions can determine the appropriate access levels based on real-time analysis of user identity, location, device security posture, and other relevant factors. This not only fortifies security measures but also streamlines the user experience, allowing legitimate users to access necessary resources without undue friction.

In practice, the enforcement of least privilege represents a proactive defense strategy, minimizing potential damage from breaches by limiting what attackers can access. This principle is integral to both preventing unauthorized access and containing the impact of any security incidents that do occur, thereby playing a crucial role in the overall effectiveness of the Zero Trust and Unified Access security models.

Leveraging Identity Security for Unified Access and Zero Trust Integration

In the intertwined realms of Unified Access and Zero Trust, identity security emerges as a critical connector, ensuring that access controls are not only stringent but also intelligently adaptive. This synergy is made possible through an array of sophisticated identity security technologies, which collectively empower organizations to verify and validate the legitimacy of each access request in a nuanced manner. The cornerstone technologies such as multi-factor authentication (MFA), single sign-on (SSO), and identity governance serve as the first line of defense, enhancing security without compromising on user convenience.

The utilization of these identity security measures enables a seamless integration of Zero Trust principles within a Unified Access framework. MFA, by requiring multiple proofs of identity, effectively thwarts unauthorized access attempts, aligning perfectly with the Zero Trust mandate of “never trust, always verify.” Meanwhile, SSO simplifies the user’s navigation across various applications and services, ensuring that security measures do not hinder productivity. Identity governance, on the other hand, provides a comprehensive overview of access patterns and permissions, enabling continuous refinement of access controls in alignment with the evolving organizational needs and threat landscapes.

What sets identity security as a pivotal element in this integration is its ability to dynamically adjust access controls based on real-time assessments of risk factors associated with each access request. Whether it’s evaluating the security posture of the device being used, the location from which a request originates, or the sensitivity of the data being accessed, identity security technologies provide the necessary granularity of control. This dynamic adaptability ensures that the principles of Zero Trust are not only upheld but are also effectively operationalized within the context of Unified Access, thereby fortifying an organization’s defenses against the increasingly sophisticated cyber threats of today’s digital landscape.

The Business Impacts of Integrating Unified Access with Zero Trust

Merging Unified Access with Zero Trust is not just a strategic move for enhancing security—it also carries significant implications for organizational efficiency and financial health. By implementing a framework that insists on rigorous authentication and authorization for every access attempt, companies place themselves in a formidable position against cyber threats. This bolstered defense mechanism does more than just protect critical data; it aligns with compliance mandates, thereby mitigating legal and financial repercussions associated with data breaches. The ripple effect of such an integrated approach extends to the operational budget as well. With a streamlined process for managing access, the redundancy seen with multiple, overlapping security tools is considerably reduced, leading to a more efficient allocation of resources.

The agility offered by this cohesive strategy enables businesses to swiftly respond to evolving technological landscapes and cyber threat tactics, ensuring they remain a step ahead in safeguarding their digital domains. Furthermore, this integration paves the way for an advanced level of automation in access management. By relying on the principles of Zero Trust to automate decision-making processes related to user access, organizations can reallocate human capital from mundane, administrative tasks to focus on broader, strategic objectives. This shift not only enhances the productivity of the IT department but also fosters a culture of innovation, driving the company forward in its operational and security endeavors. Thus, the confluence of Unified Access and Zero Trust extends beyond mere cybersecurity enhancements, touching upon vital aspects of business operations, financial management, and organizational agility.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Portnox
Portnox provides simple-to-deploy, operate and maintain network access control, security and visibility solutions. Portnox software can be deployed on-premises, as a cloud-delivered service, or in hybrid mode. It is agentless and vendor-agnostic, allowing organizations to maximize their existing network and cybersecurity investments. Hundreds of enterprises around the world rely on Portnox for network visibility, cybersecurity policy enforcement and regulatory compliance. The company has been recognized for its innovations by Info Security Products Guide, Cyber Security Excellence Awards, IoT Innovator Awards, Computing Security Awards, Best of Interop ITX and Cyber Defense Magazine. Portnox has offices in the U.S., Europe and Asia. For information visit http://www.portnox.com, and follow us on Twitter and LinkedIn.。

SC Awards Europe Names Portnox to Best Authentication Technology Shortlist

Austin, TX – May 7, 2024Portnox, a leading provider of cloud-native, zero trust access control solutions, is proud to announce its selection as a finalist in the prestigious SC Awards Europe. The company has been recognized on the Best Authentication Technology category shortlist for its commitment to innovation and excellence in cybersecurity. 

The Portnox Cloud allows organizations to control who can authenticate to their enterprise network, and provides granular detail on every user’s access layer, location, device type, and more. Portnox’s cloud RADIUS service – part of the Portnox Cloud platform and its primary authentication solution – is provided through a cloud-based cluster of fully redundant RADIUS servers and is used for authentication of users accessing the enterprise network.

The Portnox Cloud is fully cloud-native and requires no on-site hardware or maintenance whatsoever. No other network access control (NAC) product on the market delivers network authentication, access control, endpoint risk posture assessment and remediation in this manner.

As a cloud service, the Portnox Cloud eliminates the need for the capacity planning of on-premises software or appliances. It also eliminates the need to complete on-going security updates, expand capacity, or upgrade appliances to meet future growth needs. With the Portnox Cloud, you never have to worry about software or hardware end-of-life, or costly, complex upgrades requiring hours and days of work and a never-ending checklist of to-dos. The Portnox Cloud is always running the most up-to-date version with the latest features and capabilities.

“We are honored to be recognized as a finalist in the SC Awards Europe,” said Denny LeCompte, CEO at Portnox. “This acknowledgment reaffirms our relentless pursuit of excellence in delivering robust authentication and access control technology that strengthens data protection, improves endpoint and network security, streamlines user experiences, and achieves compliance with ease.”

The SC Europe Awards are a celebration of the excellence, advancement, and of the incredible minds that are shaping the future of technology and cybersecurity within the UK and Europe. Being named a finalist underscores Portnox’s unwavering dedication to providing cutting-edge solutions that empower businesses to strengthen their security posture against evolving cyber threats.

The winners of the SC Awards Europe will be announced during a ceremony on Tuesday, June 4 on the first evening of InfoSecurity Europe in London.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

Adding layers of security with password pepper

When it comes to password security, the more layers of protection your personal or business security system has, the better. There is no such thing as a bullet-proof online service; you never know which malicious tactic hackers may employ to access your accounts. Password pepper is yet another additional security layer protecting against brute force attacks, dictionary attacks, and rainbow tables. Read on to find out what a password pepper is, how it works, and how it can improve your cybersecurity.

Contents

What is a password pepper?

The password pepper or peppering—as it’s also called—is strictly connected to the password hashing process. Websites don’t store users’ passwords in plain text because it would allow anyone with access to see them. In most cases, users’ passwords are hashed: Encryption algorithms convert them into complicated strings of characters. This way, even if a site’s database gets breached, hackers must decrypt hashes to get hold of users’ credentials.

A pepper is a secret value—a random string of characters—added to a password before hashing. Unlike salt, another cryptographic way of adding an extra layer of security to your password, pepper doesn’t change. Like a chef’s secret ingredient, it stays the same across all dishes: user’s online accounts or — if part of the source code— across users’ databases.

How does password peppering work?

The password pepper changes the value that’s being hashed, resulting in a modified and more secure password hash. The pepper can be hard-coded into the website’s source code or added manually by the private or business user.

In the first scenario, the online platform’s owner chooses the pepper, taking responsibility for the code’s strength and security. The same pepper is used throughout the site’s database: There are no individual password peppers for users. Following a data breach, hard-coded pepper might be more trouble than it’s worth. If cybercriminals gain access to the source code, they could quickly discover the pepper, and it could compromise the hashed passwords. Also, in this setup, changing the breached pepper requires modifying the source code and redeploying the application, which is rather cumbersome.

For the above reasons, we’ll focus on the second scenario: Peppering passwords by hand. It requires setting up a strong, random code — you can use our password generator for it — and keeping it safe, separately from your login credentials. Adding a pepper to your login credentials means that even if you use a robust password manager like NordPass, you’ll still have to memorize your secret code or keep it in another safe place.

 

Using password peppering to improve your online security

Password peppering can protect your accounts in case your passwords get compromised. The rising numbers of cybercrime—the most lucrative criminal activity nowadays—show that you can never be too careful or introduce too many layers of protection. No online service provider may be completely bullet-proof breach-wise, which is what LastPass learned the hard way at the end of 2022.

Adding a pepper to your passwords has to be done manually, which extends the time needed to access your accounts. It can be annoying, especially if you are used to the seamless login experience, but it will definitely improve your online security.

People are creatures of habit and convenience and tend to ditch the security practices that are too demanding. Hence, we do not recommend peppering all your passwords — pepper the most important ones. Here’s how to do it:

  1. Create a strong and complex pepper you’ll be able to remember.

    You can think of a pepper as a password: the longer and more complex it is, the better. Make it random and use different kinds of symbols. However, don’t go overboard; the best way to keep your pepper safe is to memorize it!

  2. Create your “base password” and store it in your password manager.

    Use a password generator to create a complex string of characters: Let’s call it “your base password.” Now, save it in your password manager’s encrypted vault.

  3. Add password pepper and update passwords to your most important accounts.

    Once you’ve created your base password, add the pepper and that will be your actual new password. Update your most important accounts using it. Now, when logging in, you’ll have to add the pepper every time to access the account.

    Note: You can include the pepper anywhere in the string of characters constituting your base password. However, to avoid overcomplicating it, add it at the beginning or end of your base password.

  4. Don’t store your pepper in the password manager vault.

    The idea behind peppering your passwords is not to keep all your eggs in one basket. Hence, keeping your secret code in your password manager vault doesn’t make sense. If your passwords leak, the pepper leaks as well. To make password peppering work, keep your pepper safe somewhere else, preferably your head.

Password peppering from a business perspective

From a business perspective, password peppering can cause more trouble than it’s worth. It may interrupt the teams’ cooperation and information sharing, extend the time spent on tasks that could easily be automated, and mess up the results of compliance and password security audits.

Let’s look at other security measures more suited to the business environment. Unlike password peppering, they promote transparency and allow immediate response to cyber threats.

  • Password policy

The password policy is a set of rules and guidelines for creating and managing passwords in the organization. It informs employees how long their passwords should be, what kinds of characters they need to include, and how often they should change them. When enforced automatically by the company’s password manager, password policies give business network administrators control over every password used in their company.

  • Password health

Password health metrics track your company’s vulnerable passwords. The NordPass Password Health feature provides insight into the weak, older than 90 days, and reused passwords employees rely on. It allows omitting the risk of data breaches connected with weak passwords instead of mitigating the results of hacker attacks.

  • Data Breach Scanner

Data Breach Scanner notifies you in real time about all data leaks related to your company emails and domains. It can be a real game-changer since, according to IBM’s 2023 data security report, companies take 277 days on average to identify and contain a breach. If you respond to the security incident at once, chances are cybercriminals won’t have enough time to use the information against your company.

Trends in password security

These are pivotal years for password security. We’re witnessing a shift towards a more user-friendly and secure authentication method: passkeys. Passkeys allow access to your online accounts the same way you unlock your smartphone—via fingerprint or face ID. This new technology combines biometric verification with cryptographic keys, reducing the risks of phishing, brute-force attacks, and other cyber threats.

Some of the largest tech giants—including Amazon, Apple, Google, and Meta—have already joined the FIDO Alliance, an industry association created to “solve the world’s password problem.” NordPass is also a part of FIDO and, along with other members, actively promotes passkeys and makes them accessible to users. That’s why our password manager provides you a way to securely store, access, and share passkeys.

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About NordLayer
NordLayer is an adaptive network access security solution for modern businesses – from the world’s most trusted cybersecurity brand, Nord Security.

The web has become a chaotic space where safety and trust have been compromised by cybercrime and data protection issues. Therefore, our team has a global mission to shape a more trusted and peaceful online future for people everywhere.

×

Hello!

Click one of our contacts below to chat on WhatsApp

Social Chat is free, download and try it now here!

×