Could your Password be Cracked in 60 Seconds?

If your password is 7 characters long and uses a mixture of numbers with uppercase and lowercase letters, then the answer is YES(1). This is based on analysis undertaken prior to August 2019, so the situation is probably even worse today as the processing power in the hands of cybercriminals continues to increase. Passwords have been used with computers since the earliest days of computing. The CTSS operating system introduced at MIT in 1961 was the first recorded computer to implement a password login. Likewise, tools designed to crack passwords have been evolving alongside for many decades.

Here we will look at why some password ‘best practices’ are actually detrimental to information security and suggest some methods for creating strong passwords that are easy to remember but hard to guess.

Password management: typically, a painful necessity

It is no secret; passwords are a pain for everyone. They cause frustration for employees, customers, and the support staff who must manage them. Who can remember the 11-character combination of letters, symbols, and digits that are prescriptive of strong passwords, let alone devise them in first instance? When a password gets lost or stolen, which they frequently do, it places a burden on the support desk. According to Gartner Group, 20-50% of support calls are for password resets, with an average cost to the organization of $70 per call, according to Forester Research.

Hackers have developed a wide range of tools to infiltrate your personal data. The main impediment standing between your information remaining safe, or leaking out, is the password you choose. Ironically, the best protection people have is usually the one they take least seriously.

From a password cracking perspective password complexity certainly improves password strength as can be seen in the diagram reproduced below from Hive Systems, but enforcing ‘strong’ password rules upon users that are difficult to remember can reduce the security of a system in the following ways:

  • Users may need to write down or electronically store the password using an insecure method
  • Users will need more frequent password resets
  • Users are more likely to re-use the same password
  • Similarly, stringent requirements for password strength, such as “having to mix uppercase and lowercase letters with digits” or “changing the password monthly”, increase the degree to which users will try to subvert the system (2).

Asking users to remember a password consisting of a mix of uppercase and lowercase characters is like asking them to remember a sequence of bits: hard to remember, and only slightly harder to crack (only 128 times harder to crack for 7-letter passwords, less if the user only capitalizes one of the letters). Asking users to use both letters, digits and symbols will often lead to easy-to-guess substitutions such as ‘3’ in place of ‘E’, ‘1’ instead of ‘l’, and ‘@’ in place of ‘A’. All of which are well known to hackers. Similarly typing the password one keyboard row higher is another commonly known trick.

image showing the time it takes for a hacker to brute force your password
Easy to Remember but Hard to Guess

Users rarely choose passwords that are easy to remember but hard to guess. A study in 2004 entitled “The Memorability and Security of Passwords (3)” set out to determine how to help users choose good passwords, the authors performed a controlled trial of the effects of giving users different kinds of advice. Some of their results challenged the established wisdom.

They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed “algorithm” for generating obscure passwords can easily build strength upon these examples. One way to create an easy-to-use algorithm could be to take the unrelated word example but separate each word with a choice of symbols. Three random words with three different symbols could certainly create a strong password with the user having just 6 password elements to remember.

More recent research undertaken in April 2015 by several professors at Carnegie Mellon University revealed that people’s choices of password structure often follow several known patterns. As a result, passwords may be much more easily cracked than the mathematical probabilities, as illustrated in the diagram included here, would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password (4).

How are passwords compromised

Passwords represent valuable corporate assets that can be targeted by cybercriminals. Passwords can be compromised on the move as they transit networks, but they are more vulnerable as sitting targets when static as they are stored in databases and backup files which can be easily found and hacked. In some cases, passwords are shared among colleagues, and are reused across multiple applications making them easy targets for malware, phishing attacks, and other credential-stealing techniques.

One of the simplest ways for hackers to gain access to your information is with a Brute Force Attack. This is accomplished when a hacker uses a specially written piece of software to systematically check all possible passwords and passphrases until the correct one is found that matches your credentials. Other cracking techniques you may hear include dictionary attacks, lookup tables, reverse lookup tables, and rainbow tables. Free password cracking tools can be easily obtained through any internet search, so do not assume that it is just within the realm of sophisticated cybercriminal gangs.

When passwords are stolen, either individually, or as part of a corporate database, they are usually shared online and offered for sale on the dark web. Cybercriminals buy these lists and use automated credential-stuffing attacks that run through the username and password combinations until a match is found for the online account they are trying to break into. This could be an online shop where they attempt to purchase goods using your stored payment methods or in the worse case accessing your financial institution accounts to transfer money. Of course, once hackers have gained access to any online account, there may be much more Personal Identifiable Information (PII) readily available to them, paving the way for broader identity theft.

Education and encryption are your best weapons

So often, cybersecurity education is the most powerful weapon any organization can deploy to help keep their systems secure and sensitive information out of cybercriminal’s hands. Even the simple password management tips here could make a big difference. One other action we always promote is the encryption of sensitive data and in particular backup files which are not only your lifeline in the event of a disaster, but they are also sitting targets for data mining by criminals searching for password tables or other forms of PII. In addition, always secure your backup volumes with an immutability function such as Blocky for Veeam® to ensure threat actors cannot encrypt your vital files.

For any questions, please get in touch through our contact form, the Blocky team are always ready to help.

(1). Data sourced from HowSecureismyPassword.net online: https://www.hivesystems.io/blog/are-your-passwords-in-the-green?

(2). Managing Network Security. Fred Cohen & Associates. All.net. Retrieved on January 31, 2013 online: https://web.archive.org/web/20110126220702/http://all.net/journal/netsec/1997-09.html

(3). Yan, J.; Blackwell, A.; Anderson, R.; Grant, A. (2004). “Password Memorability and Security: Empirical Results” (PDF). IEEE Security & Privacy Magazine online: https://ieeexplore.ieee.org/document/1341406

(4). Steinberg, Joseph (April 21, 2015). “New Technology Cracks ‘Strong’ Passwords – What You Need To Know online: https://www.forbes.com/sites/josephsteinberg/2015/04/21/new-technology-cracks-long-complex-passwords-what-you-need-to-know/?sh=1f430ed162df