“Password1″ was the most common password in this year’s analysis.
The problem of passwords won’t go away. Weak or default passwords contributed to a third of the data compromises Trustwave investigated in 2013. IT administrators might try to elicit better password choices by enforcing password requirements, but users still find ways to satisfy those requirements without actually creating stronger passwords.
We set out to determine how easily we could crack a sample of 626,718 hashed passwords we collected during thousands of network penetration tests performed in 2013 and some performed in 2014. The majority of the sample came from Active Directory environments and included Windows LAN Manager (LM)- and NT LAN Manager (NTLM)-based passwords. We recovered more than half of the passwords within just the first few minutes. We eventually cracked 576,533 or almost 92 percent of the sample within a period of 31 days. Below we describe time and effort involved in our analysis and the length and complexity of the passwords we were able to crack, and we provide some general observations about those passwords’ predictability.
We used two machines to perform the cracking. We built the first for a total of $1,800 USD that consisted of an Intel Core i7 Ivy Bridge Quad Core Processor, 16 gigabytes of RAM and two AMD Radeon 7970 graphics cards. The second machine included an AMD FX-8320 8 Core Processor, 16 gigabytes of RAM and four AMD Radeon 7970 graphics cardswith a total build cost of $2,700 USD. As a graphical processing unit (GPU), a graphics card can perform billions more calculations per second than a traditional central processing unit (CPU). An AMD Radeon 7970 graphics card that costs $350 USD can perform 17.3 billion NTML hash calculations per second compared to an Intel Core i7-3770K CPU priced at $320 USD and overclocked by 700 MHz that can only perform 246 million NTLM hash calculations per second.
Misconceptions Surrounding Password Complexity & Length
Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure. The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.
Like we did for this analysis, attackers typically apply password-cracking tools to a collection of hashed passwords. A brute-force attack on that collection involves calculating the hashes for potential passwords and comparing those hashes to the password hashes the attacker wants to crack. If the tool identifies a match, a password is cracked.
An automated tool can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character passphrase including only upper- and lower-case letters like “GoodLuckGuessingThisPassword”. If for the purposes of this estimate we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU.
Analysis & Statistics
To start we executed a simple dictionary attack using an automated tool and a word list created from last year’s password study. Within just a few minutes, we recovered 53.97 percent of passwords within the sample. Such a short cracking time using a word list from last year’s study shows that passwords were as predictable as ever. “Password1″ was the password we came across most often in this year’s analysis.
Top Ten Passwords
As we moved forward with our analysis, we found that password length correlated with a similar pattern discovered last year. Passwords typically peaked at eight characters because we collected our sample from business environments where policy typically mandates that length. Users did not generally go above and beyond the minimum.
Distribution of Character Length of Cracked Passwords
The predictability of password choice also showed itself in the composition of cracked passwords. In both 2013 and 2014, combinations that included uppercase letters, lowercase letters and numbers were most common.
Composition in Terms of Character Type of Cracked Passwords
With an understanding of the typical character types and combinations used in passwords, we can see that even the sequencing of those character types follow a predictable pattern. A sequence of six lowercase letters followed by two numbers led 2013’s study at 10 percent of cracked passwords. The same sequence topped the list in this year’s analysis.
Composition and Sequence of Character Type in Cracked Passwords
Despite the best efforts of IT administrators, users find methods to meet complexity requirements while still creating weak passwords. Active Directory’s password complexity policy requires a minimum of eight characters and three of the five character types (lowercase letters, uppercase letters, numbers, special and Unicode). Unfortunately, “Password1” complies. So does, for example, a user’s new baby’s name capitalized and followed by the year. Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password.
Keyword Usage in Passwords
Weak or default passwords contributed to one third of compromises investigated by Trustwave. Therefore, annihilate weak passwords: Implement and enforce strong authentication policies. Educate users on the value of choosing longer pass-phrases instead of simple, predicable, easy-to-crack passwords. Deploy two-factor authentication for employees who access the network. This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user’s mobile phone. IT administrators can do their part to hinder password-cracking attacks by using unique, random salts when hashing stored passwords whereby a piece of unique, random piece of data is combined with each password before the hash is calculated. Secure password storage combined with well-educated users and a properly designed policy for user password choice can play a vital role in helping prevent a breach.