Password Security Weak, Beaten ‘Within Minutes’

Monday, August 18, 2014 @ 06:08 PM gHale

While they are surely harder to crack than 1-2-3-4, just about 50 percent of U.S. corporate passwords can end up broken in a matter of minutes.

After two years of compiling and analyzing around 620,000 passwords harvested during pen testing, half the passwords ended up broken within “the first few minutes,” with 92 percent being cracked within 31 days of intensive number crunching, according to research by security provider Trustwave.

Social Network Security Risks Rampant
1.2B Credentials Stolen from Sites
Solar Companies Under Attack
Details on DDoS Linux Trojan

The majority of the samples harvested by the company came from Active Directory environments and included Windows LAN Manager — and NT LAN Manager-based passwords.

Trustwave’s report on its research found general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure.

“The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password,” researchers said.

An automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character pass-phrase including only upper- and lower-case letters like `GoodLuckGuessingThisPassword,” researchers said.

“If, for the purposes of this estimate, we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU,” researchers said.

Trustwave goes on to say that, despite the best efforts of IT administrators, users find methods to meet complexity requirements while still creating weak passwords.

Active Directory’s password complexity policy, it notes, requires a minimum of eight characters and three of the five character types (lowercase letters, uppercase letters, numbers, special and Unicode).

“Unfortunately, `Password1′ complies. So does, for example, a user’s new baby’s name capitalized and followed by the year. Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password,” the research said.

Leave a Reply

You must be logged in to post a comment.