Poor security practices are commonly exploited by threat actors, and one of those practices that stands out is the exploitation of weak credentials. A password is often all that stands between a cyber threat actor and sensitive business data. If that password is chosen poorly, or heaven forbid is a default password that has not been changed, a hacker’s life is made so much easier. With the processing power of modern GPUs, weak passwords can be guessed rapidly, from a fraction of a second to a few seconds in many cases.
Digital Shadows is raising awareness of the problem. In a 2020 report, the Digital Shadows Photon Research team presented the findings of its research that showed that there were more than 15 billion credentials in circulation, highlighting the extent of the problem of credential theft. Those credentials had been compromised in more than 100,000 data breaches. An analysis of those compromised passwords revealed that 5 billion were unique and did not have any repeated credentials pairs, which suggests they had not been duplicated against different databases. In this year’s analysis – presented in the report, Account Takeover in 2022 – the number of circulating credentials had increased by 65% to 24 billion and the number of unique credentials had increased to 6.7 billion – 1.7 billion more than two years ago. The market for selling those credentials is robust and sophisticated, and there are even subscription options providing those credentials to threat actors.
Brute forcing passwords has never been easier for hackers, but the continued use of incredibly weak passwords makes the lives of hackers much easier. Even if very weak passwords are not used, it doesn’t take long to crack most weak passwords. Brute force password cracking tools are readily available and can be purchased for next to nothing. These tools automate the process of trying different credentials for accessing accounts. They can be purchased for an average of around $4.
To investigate how long it takes to crack a password, the team used the zxcvbn password strength meter and ran the tool using the 50 most commonly found passwords in the data set of 6.7 million passwords.
As is to be expected, the list of credentials included some absolute howlers, the top 10 being:
Passwords that were rated weak could be cracked almost instantly in the majority of cases – 49 out of 50 – but if simple changes are made these weak passwords, they become much harder to crack, even with password cracking tools. Adding just one or two special characters to a password can make a huge difference to how long it takes to guess the passwords.
For example, in simulations, the relatively weak password, London1984, took 36,800 brute force attempts, which may seem a lot but if an offline attempt was made and the attacker had the stored hashes of passwords, it would take a fraction of a second to crack the password or 3 seconds with an offline slow hash. If conducted online with no throttling it would take a little over an hour (1:01:20) and with online throttling, 15 days and 8 hours.
Add in one extra special character London_1984 and it would take 53,610,000 brute force attempts. The offline fast hash was still less than a second, the offline slow hash was 1:29:21, online with no throttling was 62 days, 1:10:00, and online with throttling would take 22,337 days and 12 hours.
Change the password to @London_1984 and the offline fast hash was the same, offline slow hash was 2 days, 3 hours, and 54 seconds, with a major increase in the time taken online. With no throttling it would take over 2,162 days and online with throttling would take over 778,666 days. It is clear from the research that adding complexity really does greatly improve password security.
Until such point that passwordless authentication replaces passwords, there are easy steps to take to improve security. Digital Shadows recommends:
- Setting a complex password – Over 12 characters including numbers, letters, and special characters
- Using a password manager – These allow complex passwords to be generated that meet complexity requirements and the passwords do not have to be remembered. They can also generate alerts if passwords have been breached
- Setting up multifactor authentication – If credentials are guessed or obtained, a second form of authentication is required before account access is granted
- Never reusing passwords on multiple platforms – It is a recipe for disaster
- Never using corporate email accounts for personal services – It makes brute forcing corporate accounts so much easier in the event of a data breach at a company where the corporate email account has been used.