The twin dangers of high-powered password-crunching `brute force' attack software - when combined with a lax approach to password security in many corporates - means that around 50 percent of US corporate passwords can now be cracked in a matter of minutes.
According to research from Trustwave - compiled over two years and analysing around 620,000 passwords harvested during pen testing - half of the passwords were cracked within "the first few minutes," with 92 percent being cracked within 31 days of intensive number crunching.
The majority of the samples harvested by the company came from Active Directory environments and included Windows LAN Manager - and NT LAN Manager-based passwords.
Trustwave's report on its research says that many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure.
"The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password," the analysis notes.
Interestingly, an automated tool, says the research, can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character pass-phrase including only upper- and lower-case letters like `GoodLuckGuessingThisPassword.'
"If, for the purposes of this estimate, we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU," says the research.
Trustwave goes on to say that, despite the best efforts of IT administrators, users find methods to meet complexity requirements whilst still creating weak passwords.
Active Directory's password complexity policy, it notes, requires a minimum of eight characters and three of the five character types (lowercase letters, uppercase letters, numbers, special and Unicode).
"Unfortunately, `Password1' complies. So does, for example, a user's new baby's name capitalised and followed by the year. Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password," the research concludes.
The solution to these password issues, says Trustwave, is to educate users on the value of choosing longer pass-phrases instead of simple, predicable, easy-to-crack passwords, as well as deploying two-factor authentication for employees who access the network.
"This forces users to verify their identity with information other than simply their username and password, like a unique code sent to a user's mobile phone. IT administrators can do their part to hinder password-cracking attacks by using unique, random salts when hashing stored passwords whereby a piece of unique, random piece of data is combined with each password before the hash is calculated. Secure password storage combined with well-educated users and a properly designed policy for user password choice can play a vital role in helping prevent a breach," the research notes.
Commenting on the analysis, Daljit Paul, head of services at Networks First, the managed IT services specialist, said that network security breaches can be as a result of quite simple administrative errors, for example having standard passwords for all network devices, or simple variations.
"Not changing network device passwords on a regular basis also leaves organisations exposed. To ensure security governance passwords on networking devices should be changed every time a member of staff with access to the networking devices leaves, but in reality how many organisations adhere to this policy," he said.
Paul went on to say that, due to the invisible nature of the network and the administration overhead of changing the passwords the task is often forgotten about, so increasing the security risk.
We are, he said, seeing more organisations add password management to their managed service to mitigate this. And because of this, he argues that organisations must continue to give the attention required to ensure passwords are as complex and uncompromising as possible on an ongoing basis.
Adrian Davis, European managing director of ISC(2), the non-profit IT security association, said that the research shows that message about security has still not got through to users.
"If I use my iPhone, or use my card in an ATM, I still use a four digit PIN," he said, adding that, against this backdrop, this shows that it hardly surprising users are not that worried about security on the desktop, and are starting to switch off when the subject is raised.
The solution, he told SCMagazineUK.com, is to get away from only using passwords on their own, although he concedes that adding technologies such as security tokens can be expensive for smaller businesses - and there are also technical issues such battery life to consider.
"The key issue is awareness. People need to make that essential connection as to why they need security," he explained.
Davis says that security admins need to be more creative when it comes to developing security systems, using technologies such as, for example, staff ID badges, that can act as a security token as well.
"The bottom line here is not to force the end user through a series of technology hoops. You can't expect the end user to be a security expert," he concluded.