The Inconvenient Truth About Your Eight-Character Password

October is National Cyber Security Awareness Month (NCSAM), which means it’s time to talk about passwords for the umpteenth time. Why beat this dead horse again? Because just about everyone still uses passwords, and even the most recent password security recommendations do not make them any stronger.

This year, the recommendation was eight characters — but how many people actually think an eight-character password is sufficiently secure? The majority most likely only use one because they have been told that a password with eight characters is stronger than one with six.

Sorry to be the bearer of bad news, but the truth is that eight characters are not enough.

Do You Know Where Your Password Has Been?

When passwords are stored, they are not stored in plain text. They are transformed with a one-way function called hashing that, in theory, should not be reversible. The password of “hashcat,” for example, becomes “b4b9b02e6f09a9bd760f388b67351e2b.” When you log in to a website, you never know how your password is stored on the back end, such as in a database or text file, or if anything has been done to secure that password.

Leaked or hacked password databases are called dumps. Threat actors often steal information in databases and use it to get into other systems, or alternatively, trade their dumps with other actors for more dumps or leaks. These dumps can include your name, email address, hashed password, plain text password (if the site is being sloppy) and the answers to your password reset questions. Just about every Windows computer has a local database of users able to log in to the machine, including a hash of the password. Most corporate systems have a larger network database called an active directory that has the same kind of information.

Unfortunately, Windows relies on a hashing method that was broken in the late ’90s. As a result, threat actors, information security professionals and hobbyists now crack passwords for both fun and profit. They take billions of possible passwords, convert them to a hashed form and compare them against the hash in the database. If there is a match, they store the plain text password and matching hash.

This process is possible because video cards and graphics processing units (GPUs) can be used for general computational tasks and are much faster than an average computer, enabling them to attempt to crack hundreds of billions of passwords every second. In other words, a very expensive machine with eight video cards can crack an eight-character password in about 24 hours, assuming an attacker could get the hash via malware, hacking the network or system that had the hash, or sending malicious documents.

Why Your Eight-Character Password Is Not as Strong as You Think

X-Force Red, IBM Security’s team of veteran hackers, recently partnered with IBM Cloud to see how fast they could crack an eight-character password. We put together a demonstration using 80 GPUs — a fraction of the power available in the average botnet. Individuals were invited to register for a website, which requested a name, email address and password. The password was then hashed with the NT LAN Manager (NTLM) hash format, the same format used in Windows, before being distributed to the GPUs and cracked with the open source software hashcat.

The passwords were all cracked in a minimum of 30 seconds and maximum of nine minutes, with the average taking around three minutes. These passwords consisted of uppercase and lowercase characters, numbers and special characters (! @ # $ % ^ & * ( ) – + ?).

When the allowed special characters were increased to «space» ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~, the times increased to a maximum of an hour and a half and an average of 45 minutes.

In the real world, attackers would proceed to use the username and password combinations to log in to other sites and check existing dumps for patterns of reuse.

How to Truly Strengthen Your Password Security

While these findings are alarming, there are several simple actions users can take to truly strengthen their password security:

  1. Ensure that all the passwords you use across websites are unique. This is the first and most important step you should take.
  2. Use a password manager to track and change passwords between sites and systems.
  3. Use fake information for password reset questions and birthdates and ensure this is stored in your password manager.
  4. Use passwords that are 12 characters or longer. Since most of us remember eight-character passwords, why not bring together two of them? Ensure this password is used for your password manager.
  5. Change your passwords at least annually, but preferably quarterly, and absolutely after any notification of a breach.
  6. Back up your passwords. Keep an off-site hard copy that is protected in case a cloud service fails.
  7. Ensure that all passwords in your password manager are randomly generated (most password managers include this functionality).
  8. Change the password to your password manager at least annually or whenever it has been compromised.

Let’s be honest: Nobody is going to remember 400-plus long passwords and their associated reset questions. Modern password managers have evolved and are very user-friendly. An alternative to a password manager would be writing passwords in a secured notebook and storing it in a safe, safety deposit box or other secure location. A password manager can be a local solution or one on the cloud. It could even be used on your mobile device. The bottom line is that you should find a solution that works for you and stick with it.

You should also enable multifactor authentication (MFA) wherever you can. Modern tokens or mobile token apps are extremely easy to use, and there is no excuse in 2018 to not be using it when available. Ensure your token seeds are backed up in a secure location and you have backup tokens or account recovery options.

Lastly, employers who are concerned that their employees are using weak eight-character passwords should consider hiring a penetration testing service to crack bad passwords so executives and employees can understand which credentials need to be strengthened.

Dustin Heywood

Senior Managing Consultant, IBM X-Force Red

EvilMog is a Senior Managing Consultant for X Force Red, IBM’s elite security testing team. EvilMog has over 12+...