New Report Exposes the Prevalence of Lame Passwords
The security company Trustwave has released its annual report on password security. The company says weak or default passwords contributed to a third of all data compromises they investigated in 2013, and the 2014 Business Password Analysis is an attempt to raise awareness about problems with password security.
Trustwave analysts performed the study by cracking a sample of the 626,718 passwords they uncovered through their network penetration testing services in the past year. According to the report, the majority of the sample came from Active Directory environments, but the problem of faulty passwords appears to cross all platforms and geographical boundaries.
Over half the passwords were cracked in "the first few minutes," and 92% were uncovered over the course of 31 days using two PCs equipped with Radeon 7970 GPUs.
The most common password in this year's study was "Password1," which, as the authors point out, meets the default Active Directory complexity requirement of eight characters with three of the five character types (lowercase, uppercase, numbers, special, and Unicode). According to the report, password length is the best protection against cracking and is far more important than choosing random characters or a diversified character set. "An automated tool can crack a completely random eight-character password including four character types such as "N^a&$1nG" much faster than a 28-character passphrase including only upper- and lowercase letters like "GoodLuckGuessingThisPassword." The use of seemingly personal but highly predictable terms was also a problem. Over 2.09% of the passwords contained one of the 100 top baby boy names and 1.6% contained one of the top dog names.
The report recommends using long passphrases and two-factor authentication to keep intruders away. The authors challenge IT professionals to educate their users and enforce sensible password policies within their organizations.