The web’s been around for a good couple of decades now. That’s plenty of time to learn the damage people can do when they have access to your online accounts right? So why in the name of all that is holy is “Password1” still the world’s most common password?
No ad to show here.
In fact, why is that still even a possibility, along with other gems such as “Hello123” and “Password”? Unfortunately, we can’t tell you the thought processes behind these travesties of online security, but we can give you a glimpse of just how easy it is for anyone using the right tools to find that information out.
Using two machines built at a total cost of under US$5 000, online security company Trustwave set out to determine how easily it could crack a sample of 626 718 hashed passwords collected during thousands of network penetration tests performed in 2013 and some performed in 2014.
The company claims that it had more than half the passwords cracked within the first few minutes and that it eventually cracked 576 533 or almost 92% of the sample within a period of 31 days.
A large part of the problem, it seems, comes from the fact that most people — and even some IT administrators — assume that you can get away with a relatively low number of characters in your password as long as it includes numbers, capital letters and special characters.
This is borne out by the fact that the largest number of passwords Trustwave cracked were only eight characters long:
As Trustwave points out though, an automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character passphrase including only upper and lower-case letters such as “GoodLuckGuessingThisPassword”.
If a hacker were to have a similar kind of machine to the ones used in Trustwave’s experiment, then they could crack the former in approximately 3.75 days. In contrast, an attacker would need 17.74 years to crack the latter.
If you want to keep your online information safe then, it’s clearly worth going beyond the bare minimum.
At the same time, it’s also worth learning what sequence people typically use in their passwords, so you can avoid doing the same.
A sequence of six lowercase letters followed by two numbers led a similar study by Trustwave in 2013 at 10% of cracked passwords. The same sequence topped the list in this year’s analysis.
Trustwave also found that people are pretty ingenious when it comes to creating weak passwords out of even the most stringent requirements.
Take Active Directory for instance. It’s password complexity policy requires a minimum of eight characters and three of the five character types (lowercase letters, uppercase letters, numbers, special and Unicode). Unfortunately, “Password1” complies. So does a user’s new baby’s name capitalised and followed by the year.
Any attempt at cracking passwords will begin with a number of predictable key words that many users select as the basis for their password. That wouldn’t be as much of a problem if people weren’t so determined to make their keywords so predictable.
This kind of flawed password building goes a long way to explaining why weak or default passwords contributed to one third of compromises investigated by Trustwave.
If you want to be safe or make sure that the people using something that you’ve built are safe then you have to implement and enforce strong authentication policies. Two-factor authentication should also be used whenever possible.
It’s not complicated stuff, but a little bit of rigor when it comes to password security can go a long way when it comes to preventing a breach. That in turn, could save you a lot of time and even more money.
Image: marc falardeau.