October is National Cyber Security Awareness Month (NCSAM), which means it’s time to talk about passwords for the umpteenth time. Why beat this dead horse again? Because just about everyone still uses passwords, and even the most recent password security recommendations do not make them any stronger.

This year, the recommendation was eight characters — but how many people actually think an eight-character password is sufficiently secure? The majority most likely only use one because they have been told that a password with eight characters is stronger than one with six.

Sorry to be the bearer of bad news, but the truth is that eight characters are not enough.

Do You Know Where Your Password Has Been?

When passwords are stored, they are not stored in plain text. They are transformed with a one-way function called hashing that, in theory, should not be reversible. The password of “hashcat,” for example, becomes “b4b9b02e6f09a9bd760f388b67351e2b.” When you log in to a website, you never know how your password is stored on the back end, such as in a database or text file, or if anything has been done to secure that password.

Leaked or hacked password databases are called dumps. Threat actors often steal information in databases and use it to get into other systems, or alternatively, trade their dumps with other actors for more dumps or leaks. These dumps can include your name, email address, hashed password, plain text password (if the site is being sloppy) and the answers to your password reset questions. Just about every Windows computer has a local database of users able to log in to the machine, including a hash of the password. Most corporate systems have a larger network database called an active directory that has the same kind of information.

Unfortunately, Windows relies on a hashing method that was broken in the late ’90s. As a result, threat actors, information security professionals and hobbyists now crack passwords for both fun and profit. They take billions of possible passwords, convert them to a hashed form and compare them against the hash in the database. If there is a match, they store the plain text password and matching hash.

This process is possible because video cards and graphics processing units (GPUs) can be used for general computational tasks and are much faster than an average computer, enabling them to attempt to crack hundreds of billions of passwords every second. In other words, a very expensive machine with eight video cards can crack an eight-character password in about 24 hours, assuming an attacker could get the hash via malware, hacking the network or system that had the hash, or sending malicious documents.

Why Your Eight-Character Password Is Not as Strong as You Think

X-Force Red, IBM Security’s team of veteran hackers, recently partnered with IBM Cloud to see how fast they could crack an eight-character password. We put together a demonstration using 80 GPUs — a fraction of the power available in the average botnet. Individuals were invited to register for a website, which requested a name, email address and password. The password was then hashed with the NT LAN Manager (NTLM) hash format, the same format used in Windows, before being distributed to the GPUs and cracked with the open source software hashcat.

The passwords were all cracked in a minimum of 30 seconds and maximum of nine minutes, with the average taking around three minutes. These passwords consisted of uppercase and lowercase characters, numbers and special characters (! @ # $ % ^ & * ( ) – + ?).

When the allowed special characters were increased to «space» ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~, the times increased to a maximum of an hour and a half and an average of 45 minutes.

In the real world, attackers would proceed to use the username and password combinations to log in to other sites and check existing dumps for patterns of reuse.

How to Truly Strengthen Your Password Security

While these findings are alarming, there are several simple actions users can take to truly strengthen their password security:

  1. Ensure that all the passwords you use across websites are unique. This is the first and most important step you should take.
  2. Use a password manager to track and change passwords between sites and systems.
  3. Use fake information for password reset questions and birthdates and ensure this is stored in your password manager.
  4. Use passwords that are 12 characters or longer. Since most of us remember eight-character passwords, why not bring together two of them? Ensure this password is used for your password manager.
  5. Change your passwords at least annually, but preferably quarterly, and absolutely after any notification of a breach.
  6. Back up your passwords. Keep an off-site hard copy that is protected in case a cloud service fails.
  7. Ensure that all passwords in your password manager are randomly generated (most password managers include this functionality).
  8. Change the password to your password manager at least annually or whenever it has been compromised.

Let’s be honest: Nobody is going to remember 400-plus long passwords and their associated reset questions. Modern password managers have evolved and are very user-friendly. An alternative to a password manager would be writing passwords in a secured notebook and storing it in a safe, safety deposit box or other secure location. A password manager can be a local solution or one on the cloud. It could even be used on your mobile device. The bottom line is that you should find a solution that works for you and stick with it.

You should also enable multifactor authentication (MFA) wherever you can. Modern tokens or mobile token apps are extremely easy to use, and there is no excuse in 2018 to not be using it when available. Ensure your token seeds are backed up in a secure location and you have backup tokens or account recovery options.

Lastly, employers who are concerned that their employees are using weak eight-character passwords should consider hiring a penetration testing service to crack bad passwords so executives and employees can understand which credentials need to be strengthened.

More from Security Services

Detecting Insider Threats: Leverage User Behavior Analytics

3 min read - Employees often play an unwitting role in many security incidents, from accidental data breaches to intentional malicious attacks. Unfortunately, most organizations don’t have the right protocols and processes to identify potential risks posed by their workforce. Based on a survey conducted by SANS Institute, 35% of respondents said they lack visibility into insider threats, while 30% said the inability to audit user access is a security blind spot in their organizations. In addition, the 2023 X-Force Threat Intelligence Index reported that…

3 min read

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read