A researcher at Microsoft has recently conducted an analysis of more than 25 million brute force attack attempts that were identified across Microsoft’s sensor network and found that most passwords were sufficiently complex to resist brute force attacks.
According to the analysis, more than three-fourths of the brute force attacks (77%) attempted passwords of between 1 and 7 characters, and only 6% of the attack attempts used passwords of 10 or more characters. The analysis also showed how important it is for businesses to enforce password complexity requirements. While 39% of brute force password attempts involved passwords with at least one number, only 7% of the attacks attempted passwords containing at least one special character. There were no brute force attempts that included white space, although many platforms do not permit the use of white space in passwords.
Microsoft has recently adopted passwordless authentication, although we are not yet at a stage where passwordless authentication has been widely adopted. For as long as passwords are required to secure accounts, it is important to ensure password policies are set to make passwords resilient to brute force attacks. To improve password security, password policies should require passwords of at least 10 characters. It is also important to cover passwords in security awareness training and to encourage the setting of passphrases rather than passwords, as long passwords are not necessarily more secure – 1234567890 – for example is 10 characters long but particularly poor. Longer passwords could also encourage password reuse or simple changes to existing passwords to make them longer – adding 123 to the end of a current password for example.
One technique that is now being encouraged is the use of three random words for creating passwords, as these passwords/passphrases are easier to remember. Arguably the best step that businesses can take is to make a password manager available to the workforce. Password managers have password generators that can be used to generate a long complex password, which will be unique for all accounts. Some password generators can also be configured to meet minimum complexity requirements. Most importantly, the passwords do not need to be remembered. All users need to remember is a single password or passphrase for their password vault. Those password vaults are encrypted and stored in the cloud, although some solutions – Bitwarden for example – allow password vaults to be stored locally.
It is also important to use multifactor authentication, so if a password should be compromised, another means of authentication must also be provided for the account to be accessed.