New Report Exposes the Prevalence of Lame Passwords

By

Password1 is the most common password in this year's analysis

The security company Trustwave has released its annual report on password security. The company says weak or default passwords contributed to a third of all data compromises they investigated in 2013, and the 2014 Business Password Analysis is an attempt to raise awareness about problems with password security.
Trustwave analysts performed the study by cracking a sample of the 626,718 passwords they uncovered through their network penetration testing services in the past year. According to the report, the majority of the sample came from Active Directory environments, but the problem of faulty passwords appears to cross all platforms and geographical boundaries.
Over half the passwords were cracked in "the first few minutes," and 92% were uncovered over the course of 31 days using two PCs equipped with Radeon 7970 GPUs.
The most common password in this year's study was "Password1," which, as the authors point out, meets the default Active Directory complexity requirement of eight characters with three of the five character types (lowercase, uppercase, numbers, special, and Unicode). According to the report, password length is the best protection against cracking and is far more important than choosing random characters or a diversified character set. "An automated tool can crack a completely random eight-character password including four character types such as "N^a&$1nG" much faster than a 28-character passphrase including only upper- and lowercase letters like "GoodLuckGuessingThisPassword." The use of seemingly personal but highly predictable terms was also a problem. Over 2.09% of the passwords contained one of the 100 top baby boy names and 1.6% contained one of the top dog names.  
The report recommends using long passphrases and two-factor authentication to keep intruders away. The authors challenge IT professionals to educate their users and enforce sensible password policies within their organizations.

08/19/2014

Related content

  • John the Ripper

    Easy to remember but difficult to guess isn’t just a catchy phrase for choosing passwords, it’s the law of the Net. Learn how to check your password using a tool network intruders use every day: John the Ripper.

  • Lithnet Password Protection for Active Directory
    Lithnet Password Protection for Active Directory provides flexible rules beyond that possible with group policies alone and prevents the use of previously compromised passwords.
  • Editorial
    By now you've probably heard that Italy's Hacking Team, a company that sells intrusion and surveillance tools to governments and law enforcement agencies, has had its private information laid bare for the entire world. Almost 400GB of data, published in a single Torrent file, made its way onto the Internet for all to enjoy. The initial entry point for the attack is unclear, but one thing is certain: The Hacking Team needs to attend a seminar on password security.
  • Making Kerberoasting uneconomical
    A method known as Kerberoasting is an exploitation technique of the Kerberos authentication protocol. We take a closer look at the available safeguards and detection measures against this attack.
  • Hardware MFA: Death to the password!
    Around since the 1960s, passwords are still the mainstay for authentication. The good news is you have alternatives in hardware multifactor authentication.
comments powered by Disqus