Passwords are as predictable as ever. Password1 was found to be the most commonly used password in a study by an IT security product company. Other oft-occurring passwords are Hello123, password, Welcome1, training, and Password123.
According to a report by Trustwave, many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure. The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.
An automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character passphrase including only upper- and lower-case letters like “GoodLuckGuessingThisPassword”. If for the purposes of this estimate we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same graphical processing unit (GPU).
Despite the best efforts of IT administrators, users find methods to meet complexity requirements while still creating weak passwords. Active Directory’s password complexity policy requires a minimum of eight characters and three of the five character types (lowercase letters, uppercase letters, numbers, special and Unicode). Unfortunately, “Password1” complies. So does, for example, a user’s new baby’s name capitalised and followed by the year. Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password, Trustwave says.
Suggestions from Trustwave
Educate users on the value of choosing longer pass-phrases instead of simple, predicable, easy-to-crack passwords. Deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone. IT administrators can do their part to hinder password-cracking attacks by using unique, random salts when hashing stored passwords whereby a piece of unique, random piece of data is combined with each password before the hash is calculated. Secure password storage combined with well-educated users and a properly designed policy for user password choice can play a vital role in helping prevent a breach.
Comment
Toyin Adelakun, a VP at IT security product company Sestus, says: “We can improve passwords all we like, but it is plain that even they are not sufficient, by themselves, to safeguard accounts and other online resources. For what it is worth, a password 16 characters long, with a mix of uppercase, lowercase, numeric and special (non-alphanumeric), will take about 100 million centuries to crack, using GPUs a million times faster than the ones used in the Trustwave tests. By comparison, a password composed of a mix of 12 uppercase, lowercase, numeric and special characters will take about 200 years to crack, again by a GPU one million times faster than the Trustwave ones.
“Just to be safe though — and in case some users and attackers are blessed with unprecedented longevity — administrators and executives surely must take at least these two actions with alacrity:
Allow (or mandate) passwords longer than 12 characters; and
Deploy multi-factor authentication solutions.
Along with other defences such as encryption and firewalling.”
