Passwords - Every One Can Be Cracked

• Content
• People
• Passwords - Every One Can Be Cracked

22 March 2017 | Updated 01 January 1970

35% of users have weak passwords and the other 65% can be cracked  a worldwide review of user account compromise and large scale account breaches has found.

Password leaks from public breaches help us learn how people think, allow us to identify patterns and build dictionaries of passwords. As password cracking methods evolve, Uppercase characters, Lowercase characters, Special characters and Digits (ULSD) recommendations and password complexity mean less.

People reuse passwords. They rotate them. Add a digit to them. And even use identical or share passwords with others. There are common behaviours. For example, we’ve seen how local culture impacts passwords, where local football team names are commonly used as passwords.

The problem is that only about 1% of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken.

People need patterns to remember things, and to feel more secure they use a combination of ULSD. But ULSD itself has its own patterns. Most common? Take a word. Capitalise it and add digits to the end. Sound familiar? The majority of people do this.

 

The guessing game

Preempt is an organisation that researches worldwide user account compromise and large scale account breaches such as at Talk Talk and Yahoo. The company has found there is a common denominator with regard to passwords between breaches.

For example the relatively recent high profile LinkedIn breach. One thing is certain, any person that used the same password for LinkedIn as they did for their work account (or other account), is currently vulnerable within these other accounts.

Unfortunately, there are many users that don’t make that connection.

Their LinkedIn account was breached, so they just change their LinkedIn password, not realising that if they are using that same password elsewhere, they are actually exposed in all of those places as well.

For IT security teams, this is an unknown vulnerability they have to deal with.

 

Preempt set out to answer the question: How many LinkedIn accounts were weak PRIOR to LinkedIn breach?

To answer this, we compared how many passwords in LinkedIn’s password dump were already known from previous password dictionaries that had been established. The results were staggering 63,588,381 (~35%) of accounts used previously known passwords to begin with. No matter how complex these passwords were, they are considered weak because they can be quickly cracked offline by matching against a wordlist of known (or previously used) passwords.

 

Most Passwords Can Easily Be Cracked

After we looked at password weakness, we wanted to determine how easy passwords might be to crack. To do this, we estimated the relative strength of account passwords within a general organisation. To be as conservative as possible, we made the following three assumptions: Users are not sharing passwords between themselves or other accounts; Some variation of Microsoft password policy recommendations is in place. Specifically; Users use passwords with 10 characters or less. (From our research, aside from some very security focused organisations with very specific policy for admins, more than 90% of organisations don’t require more than 8 character passwords); MS password complexity is turned on.

We then tried to compute how much time would it take to crack a password with brute force, using standard off-the-shelf cracking hardware. We then created three password models: Low Complexity - only password length is enforced; Medium Complexity - password length and complexity is enforced. Users have common ULSD patterns; High Complexity - same as medium complexity, but users are aware not to use common ULSD patterns.

Low complexity passwords can be cracked in less than a day, medium complexity passwords are cracked in less than a week and high complexity password are cracked in less than a month.

 

In Summary

Password complexity isn't working - passwords can meet complexity and still be considered weak because of password dictionaries.

Passwords are not unique - people reuse passwords and newly leaked dictionaries contain previously leaked passwords.

Passwords follow patterns - in most cases, the top 100 patterns will crack the majority of passwords in an organisation.

Password cracking is easy - depending on hardware resources, it can take only seconds to minutes to brute force most passwords.

Passwords are shared between users - people share passwords, use identical passwords and duplicate passwords between services.

Password expiration policy is not enforced and frequent password change policies are disabled and many times specifically for executives (e.g. CEO) with highly sensitive profiles.

 

So, what does this mean?

ULSD essentially doesn’t matter. It is important to educate employees and individuals in general, about password strength and levels of risk following recent breaches. If you use the same username and/or login for multiple websites, you're putting yourself at significant risk.

 

What else can you do?

Use a password policy to enforce complexity and password expiration.

Require longer passwords (8 bad, 10 ok, 12 good).

Educate people to:

Not share passwords with other employees.

Not share passwords with other cloud services.

Not use simple patterns, personal data or common words (make it unpredictable).

Not repeat passwords when a password expires (enumeration included).

Add additional factors to authenticate users. For example, on suspicious logins, you could send end users a simple email notification or push an immediate notification to their mobile device.

Implement a context based solution - train and enforce password policy based on users' activities.

By Eran Cohen, a Director of Product Management at Preempt

Article written by Eran Cohen | Published 22 March 2017

Share

---

---

Related Articles

---