October 4, 2018 By Dustin Heywood 4 min read

October is National Cyber Security Awareness Month (NCSAM), which means it’s time to talk about passwords for the umpteenth time. Why beat this dead horse again? Because just about everyone still uses passwords, and even the most recent password security recommendations do not make them any stronger.

This year, the recommendation was eight characters — but how many people actually think an eight-character password is sufficiently secure? The majority most likely only use one because they have been told that a password with eight characters is stronger than one with six.

Sorry to be the bearer of bad news, but the truth is that eight characters are not enough.

Do You Know Where Your Password Has Been?

When passwords are stored, they are not stored in plain text. They are transformed with a one-way function called hashing that, in theory, should not be reversible. The password of “hashcat,” for example, becomes “b4b9b02e6f09a9bd760f388b67351e2b.” When you log in to a website, you never know how your password is stored on the back end, such as in a database or text file, or if anything has been done to secure that password.

Leaked or hacked password databases are called dumps. Threat actors often steal information in databases and use it to get into other systems, or alternatively, trade their dumps with other actors for more dumps or leaks. These dumps can include your name, email address, hashed password, plain text password (if the site is being sloppy) and the answers to your password reset questions. Just about every Windows computer has a local database of users able to log in to the machine, including a hash of the password. Most corporate systems have a larger network database called an active directory that has the same kind of information.

Unfortunately, Windows relies on a hashing method that was broken in the late ’90s. As a result, threat actors, information security professionals and hobbyists now crack passwords for both fun and profit. They take billions of possible passwords, convert them to a hashed form and compare them against the hash in the database. If there is a match, they store the plain text password and matching hash.

This process is possible because video cards and graphics processing units (GPUs) can be used for general computational tasks and are much faster than an average computer, enabling them to attempt to crack hundreds of billions of passwords every second. In other words, a very expensive machine with eight video cards can crack an eight-character password in about 24 hours, assuming an attacker could get the hash via malware, hacking the network or system that had the hash, or sending malicious documents.

Why Your Eight-Character Password Is Not as Strong as You Think

X-Force Red, IBM Security’s team of veteran hackers, recently partnered with IBM Cloud to see how fast they could crack an eight-character password. We put together a demonstration using 80 GPUs — a fraction of the power available in the average botnet. Individuals were invited to register for a website, which requested a name, email address and password. The password was then hashed with the NT LAN Manager (NTLM) hash format, the same format used in Windows, before being distributed to the GPUs and cracked with the open source software hashcat.

The passwords were all cracked in a minimum of 30 seconds and maximum of nine minutes, with the average taking around three minutes. These passwords consisted of uppercase and lowercase characters, numbers and special characters (! @ # $ % ^ & * ( ) – + ?).

When the allowed special characters were increased to «space» ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~, the times increased to a maximum of an hour and a half and an average of 45 minutes.

In the real world, attackers would proceed to use the username and password combinations to log in to other sites and check existing dumps for patterns of reuse.

How to Truly Strengthen Your Password Security

While these findings are alarming, there are several simple actions users can take to truly strengthen their password security:

  1. Ensure that all the passwords you use across websites are unique. This is the first and most important step you should take.
  2. Use a password manager to track and change passwords between sites and systems.
  3. Use fake information for password reset questions and birthdates and ensure this is stored in your password manager.
  4. Use passwords that are 12 characters or longer. Since most of us remember eight-character passwords, why not bring together two of them? Ensure this password is used for your password manager.
  5. Change your passwords at least annually, but preferably quarterly, and absolutely after any notification of a breach.
  6. Back up your passwords. Keep an off-site hard copy that is protected in case a cloud service fails.
  7. Ensure that all passwords in your password manager are randomly generated (most password managers include this functionality).
  8. Change the password to your password manager at least annually or whenever it has been compromised.

Let’s be honest: Nobody is going to remember 400-plus long passwords and their associated reset questions. Modern password managers have evolved and are very user-friendly. An alternative to a password manager would be writing passwords in a secured notebook and storing it in a safe, safety deposit box or other secure location. A password manager can be a local solution or one on the cloud. It could even be used on your mobile device. The bottom line is that you should find a solution that works for you and stick with it.

You should also enable multifactor authentication (MFA) wherever you can. Modern tokens or mobile token apps are extremely easy to use, and there is no excuse in 2018 to not be using it when available. Ensure your token seeds are backed up in a secure location and you have backup tokens or account recovery options.

Lastly, employers who are concerned that their employees are using weak eight-character passwords should consider hiring a penetration testing service to crack bad passwords so executives and employees can understand which credentials need to be strengthened.

More from Security Services

Pentesting vs. Pentesting as a Service: Which is better?

5 min read - In today's quickly evolving cybersecurity landscape, organizations constantly seek the most effective ways to secure their digital assets. Penetration testing (pentesting) has emerged as a leading solution for identifying potential system vulnerabilities while closing security gaps that can lead to an attack. At the same time, a newer entrant into the security arena is Pentesting as a Service (PTaaS). Although PTaaS shares some similarities with pentesting, distinct differences make them two separate solutions. This article will discuss how these methodologies…

How I got started: Attack surface management

4 min read - As the threat landscape multiplies in sophistication and complexity, new roles in cybersecurity are presenting themselves more frequently than ever before. For example, attack surface management. These cybersecurity professionals are responsible for identifying, mapping and securing all external digital assets an organization owns or is connected to. This includes servers, domains, cloud assets and any other digital points that could be exploited by cyber criminals. Their role involves continuously monitoring these assets for vulnerabilities, misconfigurations or other potential security risks…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Does your security program suffer from piecemeal detection and response?

4 min read - Piecemeal Detection and Response (PDR) can manifest in various ways. The most common symptoms of PDR include: Multiple security information and event management (SIEM) tools (e.g., one on-premise and one in the cloud) Spending too much time or energy on integrating detection systems An underperforming security orchestration, automation and response (SOAR) system Only capable of taking automated responses on the endpoint Anomaly detection in silos (e.g., network separate from identity) If any of these symptoms resonate with your organization, it's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today