While weak or default password use is not exactly breaking news, learning that over half of 626,718 hashed passwords could be cracked in a few minutes is food for thought. The passwords were collected during Trustwave pen tests of corporate environments in 2013 and part of 2014. Most of those came from “Active Directory environments and included Windows LAN Manager (LM)- and NT LAN Manager (NTLM)-based passwords.”
Active Directory’s password complexity policy requires a minimum of eight characters and three of the five character types (lowercase letters, uppercase letters, numbers, special and Unicode). Unfortunately, “Password1” complies. So does, for example, a user’s new baby’s name capitalized and followed by the year. Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password.
Regarding keywords in passwords, people loved using the name of their kids and dogs. 12,042 contained a top 100 baby boy name; 9,224 passwords were from the top 100 dog names; and 8,035 passwords contained a top 100 baby girl name. After 31 days, the researchers had cracked 576,533, nearly 92%, of the total 626,718 passwords.
Below are the top 10 passwords Trustwave cracked from corporate environments.
Mixing in uppercase and lowercase letters with numbers and special characters, won’t make a more secure password, according to Trustwave. It will make it harder for humans to guess, but it’s not challenging for password-cracking tools. “Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.”
An automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character passphrase including only upper- and lower-case letters like “GoodLuckGuessingThisPassword”. If for the purposes of this estimate we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU.
Most hackers aren’t worried about getting caught
Password1, Hello123 and password don’t exactly require the skills of an uber hacker to crack, but even if it did, 86% of hackers aren’t worried about getting caught. IT Security solution provider Thycotic surveyed 127 self-identified hackers during Black Hat.
Thycotic’s survey results included the following stats:
- 51% of the hackers are motivated by fun/thrill seeking.
- 29% claim to be motivated by social consciousness or a moral compass.
- Only 18% are motivated by financial gain.
- A whopping 99% believe that simplistic hacking tactics like phishing still work.
- 53% of hackers don’t think users have learned anything about avoiding such tactics.
- 88% of the hackers think their own information is at risk.
When asked which employee they would first target in order to gain login credentials for a particular company, 40% of the hackers polled said they would start with a contractor. 30% would first target IT administrators. 16% would start with a non-executive employee; 8% would choose an executive admin and 6% would begin by targeting an executive.
It's likely that at least one of those targets would use Password1 as their password, don't you imagine so?