The twin dangers of high-powered password-crunching `brute force' attack software - when combined with a lax approach to password security in many corporates - means that around 50 percent of US corporate passwords can now be cracked in a matter of minutes.
According to research from Trustwave - compiled over two years and analysing around 620,000 passwords harvested during pen testing - half of the passwords were cracked within "the first few minutes," with 92 percent being cracked within 31 days of intensive number crunching.
The majority of the samples harvested by the company came from Active Directory environments and included Windows LAN Manager - and NT LAN Manager-based passwords.
Trustwave's report on its research says that many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure.
"The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password," the analysis notes.
Interestingly, an automated tool, says the research, can crack a completely random eight-character password including all four character types such as “N^a&$1nG” much faster than a 28-character pass-phrase including only upper- and lower-case letters like `GoodLuckGuessingThisPassword.'
"If, for the purposes of this estimate, we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU," says the research.
Trustwave goes on to say that, despite the best efforts of IT administrators, users find methods to meet complexity requirements whilst still creating weak passwords.
Active Directory's password complexity policy, it notes, requires a minimum of eight characters and three of the five character types (lowercase letters, uppercase letters, numbers, special and Unicode).
"Unfortunately, `Password1' complies. So does, for example, a user's new baby's name capitalised and followed by the year. Any attempt at cracking passwords will begin with a number of predictable keywords that many users select as the basis for their password," the research concludes.