Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Your Password May Not Be as Safe as You Think

Last week’s announcement that a group of cybercriminals reputedly had gotten their hands on 1.2 billion user credentials turned the cyber-world’s attention to a subject with whom many people have a love-hate relationship – the password.

Last week’s announcement that a group of cybercriminals reputedly had gotten their hands on 1.2 billion user credentials turned the cyber-world’s attention to a subject with whom many people have a love-hate relationship – the password.

Sometimes memorable, sometimes forgotten, passwords are the key to the door blocking open access to many networks and applications. But according to a recent report from Trustwave, acquiring that key may be easier for hackers than you think.

In an attempt to prove how simply passwords could be cracked, the firm took a sample of 626,718 hashed passwords collected during thousands of network penetration tests in 2013, as well as some from 2014. The majority came from Active Directory environments and included Windows LAN manager and NT LAN Manager-based passwords. More than half the passwords were recovered within the first few minutes; 576,533 (roughly 92 percent) were compromised in 31 days.

“Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure,” according to Trustwave’s Global Security Report. “The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.”

Trustwave used two machines to perform the cracking. The first was built for a total of $1,800 and consisted of an Intel Core i7 Ivy Bridge Quad Core Processor, 16 gigabytes of RAM and two AMD Radeon 7970 graphics cards. The second machine included an AMD FX-8320 8 Core Processor, 16 gigabytes of RAM and four AMD Radeon 7970 graphics cards and cost a total of $2,700 to build.

The firm started its experiment with a dictionary attack using an automated tool and a word list created based on last year’s password study. Within minutes, 53.97 percent of the passwords within the sample were recovered. The most popular passwords will sound familiar to many – ‘Password1’ (2,984), ‘Hello123’ (2,587) and ‘password’ (2,458).

When the researchers examined the types of characters used, they found the passwords most commonly involved combinations of lowercase letters and numbers, which accounted for 212,158 of the passwords. Passwords that included both numbers as well as lowercase and uppercase letters were the second-most prevalent and totaled 201,447. The third most common were numbers-only passwords, which totaled 72,425.  

“I completely agree that sites should be focusing on longer passwords more so than highly complex ones, but there are a multitude of reasons why websites often require complexity rather than length,” said Karl Sigler, threat intelligence manager at Trustwave. “One reason is because the idea of eight characters with at least one uppercase character, number and extended character (like %#$) was established as a best practice for password security back in the late nineties when seven character Windows passwords were found to be almost trivial to crack. Complexity was introduced to make those eight character passwords more secure than eight lowercase letters.”

“In the end,” he added, “the more control that admins have over their users the more power they have over those minimums. For example, as a corporate admin I can dictate 16 characters or you can’t log in to email. As a website operator, the harder I make it to create an account the more likely it is that my customers will start shopping elsewhere.”

Complicating matters further is that users can circumvent controls meant to add complexity, the report noted. For example, Active Directory’s password policy requires a minimum of eight characters and three of five character types (lowercase letters, uppercase letters, numbers, etc). However, ‘Password1’ still complies with that – as may the name of a user’s baby followed by the year, for example.

According to Trustwave, more than 12,000 of the passwords contained one of the top 100 most common baby boy names. More than 9,200 included one of the 100 most popular dog names.  

“Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password,” according to the report.

“Two-factor should absolutely be considered a crucial control for critical systems and sensitive data,” Sigler said. “It is more secure than even the longest password-only solution and is often easier for the users depending on the implementation. As two-factor becomes more and more common it is likely to meet less resistance from users.”

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.