October 4, 2018 By Dustin Heywood 4 min read

October is National Cyber Security Awareness Month (NCSAM), which means it’s time to talk about passwords for the umpteenth time. Why beat this dead horse again? Because just about everyone still uses passwords, and even the most recent password security recommendations do not make them any stronger.

This year, the recommendation was eight characters — but how many people actually think an eight-character password is sufficiently secure? The majority most likely only use one because they have been told that a password with eight characters is stronger than one with six.

Sorry to be the bearer of bad news, but the truth is that eight characters are not enough.

Do You Know Where Your Password Has Been?

When passwords are stored, they are not stored in plain text. They are transformed with a one-way function called hashing that, in theory, should not be reversible. The password of “hashcat,” for example, becomes “b4b9b02e6f09a9bd760f388b67351e2b.” When you log in to a website, you never know how your password is stored on the back end, such as in a database or text file, or if anything has been done to secure that password.

Leaked or hacked password databases are called dumps. Threat actors often steal information in databases and use it to get into other systems, or alternatively, trade their dumps with other actors for more dumps or leaks. These dumps can include your name, email address, hashed password, plain text password (if the site is being sloppy) and the answers to your password reset questions. Just about every Windows computer has a local database of users able to log in to the machine, including a hash of the password. Most corporate systems have a larger network database called an active directory that has the same kind of information.

Unfortunately, Windows relies on a hashing method that was broken in the late ’90s. As a result, threat actors, information security professionals and hobbyists now crack passwords for both fun and profit. They take billions of possible passwords, convert them to a hashed form and compare them against the hash in the database. If there is a match, they store the plain text password and matching hash.

This process is possible because video cards and graphics processing units (GPUs) can be used for general computational tasks and are much faster than an average computer, enabling them to attempt to crack hundreds of billions of passwords every second. In other words, a very expensive machine with eight video cards can crack an eight-character password in about 24 hours, assuming an attacker could get the hash via malware, hacking the network or system that had the hash, or sending malicious documents.

Why Your Eight-Character Password Is Not as Strong as You Think

X-Force Red, IBM Security’s team of veteran hackers, recently partnered with IBM Cloud to see how fast they could crack an eight-character password. We put together a demonstration using 80 GPUs — a fraction of the power available in the average botnet. Individuals were invited to register for a website, which requested a name, email address and password. The password was then hashed with the NT LAN Manager (NTLM) hash format, the same format used in Windows, before being distributed to the GPUs and cracked with the open source software hashcat.

The passwords were all cracked in a minimum of 30 seconds and maximum of nine minutes, with the average taking around three minutes. These passwords consisted of uppercase and lowercase characters, numbers and special characters (! @ # $ % ^ & * ( ) – + ?).

When the allowed special characters were increased to «space» ! ” # $ % & ‘ ( ) * + , – . / : ; < = > ? @ [ \ ] ^ _ ` { | } ~, the times increased to a maximum of an hour and a half and an average of 45 minutes.

In the real world, attackers would proceed to use the username and password combinations to log in to other sites and check existing dumps for patterns of reuse.

How to Truly Strengthen Your Password Security

While these findings are alarming, there are several simple actions users can take to truly strengthen their password security:

  1. Ensure that all the passwords you use across websites are unique. This is the first and most important step you should take.
  2. Use a password manager to track and change passwords between sites and systems.
  3. Use fake information for password reset questions and birthdates and ensure this is stored in your password manager.
  4. Use passwords that are 12 characters or longer. Since most of us remember eight-character passwords, why not bring together two of them? Ensure this password is used for your password manager.
  5. Change your passwords at least annually, but preferably quarterly, and absolutely after any notification of a breach.
  6. Back up your passwords. Keep an off-site hard copy that is protected in case a cloud service fails.
  7. Ensure that all passwords in your password manager are randomly generated (most password managers include this functionality).
  8. Change the password to your password manager at least annually or whenever it has been compromised.

Let’s be honest: Nobody is going to remember 400-plus long passwords and their associated reset questions. Modern password managers have evolved and are very user-friendly. An alternative to a password manager would be writing passwords in a secured notebook and storing it in a safe, safety deposit box or other secure location. A password manager can be a local solution or one on the cloud. It could even be used on your mobile device. The bottom line is that you should find a solution that works for you and stick with it.

You should also enable multifactor authentication (MFA) wherever you can. Modern tokens or mobile token apps are extremely easy to use, and there is no excuse in 2018 to not be using it when available. Ensure your token seeds are backed up in a secure location and you have backup tokens or account recovery options.

Lastly, employers who are concerned that their employees are using weak eight-character passwords should consider hiring a penetration testing service to crack bad passwords so executives and employees can understand which credentials need to be strengthened.

More from Security Services

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware

12 min read - As of December 2023, IBM X-Force has uncovered multiple lure documents that predominately feature the ongoing Israel-Hamas war to facilitate the delivery of the ITG05 exclusive Headlace backdoor. The newly discovered campaign is directed against targets based in at least 13 nations worldwide and leverages authentic documents created by academic, finance and diplomatic centers. ITG05’s infrastructure ensures only targets from a single specific country can receive the malware, indicating the highly targeted nature of the campaign. X-Force tracks ITG05 as…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today