Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Your Password May Not Be as Safe as You Think

Last week’s announcement that a group of cybercriminals reputedly had gotten their hands on 1.2 billion user credentials turned the cyber-world’s attention to a subject with whom many people have a love-hate relationship – the password.

Last week’s announcement that a group of cybercriminals reputedly had gotten their hands on 1.2 billion user credentials turned the cyber-world’s attention to a subject with whom many people have a love-hate relationship – the password.

Sometimes memorable, sometimes forgotten, passwords are the key to the door blocking open access to many networks and applications. But according to a recent report from Trustwave, acquiring that key may be easier for hackers than you think.

In an attempt to prove how simply passwords could be cracked, the firm took a sample of 626,718 hashed passwords collected during thousands of network penetration tests in 2013, as well as some from 2014. The majority came from Active Directory environments and included Windows LAN manager and NT LAN Manager-based passwords. More than half the passwords were recovered within the first few minutes; 576,533 (roughly 92 percent) were compromised in 31 days.

“Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure,” according to Trustwave’s Global Security Report. “The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.”

Trustwave used two machines to perform the cracking. The first was built for a total of $1,800 and consisted of an Intel Core i7 Ivy Bridge Quad Core Processor, 16 gigabytes of RAM and two AMD Radeon 7970 graphics cards. The second machine included an AMD FX-8320 8 Core Processor, 16 gigabytes of RAM and four AMD Radeon 7970 graphics cards and cost a total of $2,700 to build.

The firm started its experiment with a dictionary attack using an automated tool and a word list created based on last year’s password study. Within minutes, 53.97 percent of the passwords within the sample were recovered. The most popular passwords will sound familiar to many – ‘Password1’ (2,984), ‘Hello123’ (2,587) and ‘password’ (2,458).

When the researchers examined the types of characters used, they found the passwords most commonly involved combinations of lowercase letters and numbers, which accounted for 212,158 of the passwords. Passwords that included both numbers as well as lowercase and uppercase letters were the second-most prevalent and totaled 201,447. The third most common were numbers-only passwords, which totaled 72,425.  

“I completely agree that sites should be focusing on longer passwords more so than highly complex ones, but there are a multitude of reasons why websites often require complexity rather than length,” said Karl Sigler, threat intelligence manager at Trustwave. “One reason is because the idea of eight characters with at least one uppercase character, number and extended character (like %#$) was established as a best practice for password security back in the late nineties when seven character Windows passwords were found to be almost trivial to crack. Complexity was introduced to make those eight character passwords more secure than eight lowercase letters.”

“In the end,” he added, “the more control that admins have over their users the more power they have over those minimums. For example, as a corporate admin I can dictate 16 characters or you can’t log in to email. As a website operator, the harder I make it to create an account the more likely it is that my customers will start shopping elsewhere.”

Advertisement. Scroll to continue reading.

Complicating matters further is that users can circumvent controls meant to add complexity, the report noted. For example, Active Directory’s password policy requires a minimum of eight characters and three of five character types (lowercase letters, uppercase letters, numbers, etc). However, ‘Password1’ still complies with that – as may the name of a user’s baby followed by the year, for example.

According to Trustwave, more than 12,000 of the passwords contained one of the top 100 most common baby boy names. More than 9,200 included one of the 100 most popular dog names.  

“Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password,” according to the report.

“Two-factor should absolutely be considered a crucial control for critical systems and sensitive data,” Sigler said. “It is more secure than even the longest password-only solution and is often easier for the users depending on the implementation. As two-factor becomes more and more common it is likely to meet less resistance from users.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.