For $62.59, the 8 Character Password is Still Dead
This blog post was authored by Tom Stewart, Senior Director, Security and Privacy on The Technology Insights Blog.
Five years ago, we wrote a post called “The 8 Character Password is Dead,” which was an in-depth look at password cracking in 2017 and how eight-character passwords do not adequately protect organisations.
In that analysis, we broke down the math and how quickly hardware purchased for under $5,000 could make an eight-character length irrelevant. Unfortunately, in just five years’ time, the numbers have gotten worse while infrastructure to perform this testing has become much more readily available for both good and bad actors.
With the rise of cloud computing and subsequently individuals’ access to top-of-the-line computing equipment, the eight-character password ‘standard’ continues to provide little protection to organisations.
See the last article for a more in-depth breakdown of the different types of password cracking but in summary, brute force password cracking starts at a given length with one character and increments through each item specified in the character set until all possible combinations have been reviewed. Parameters around what to test can be customised — including the character sets. Any combination of four complexity types can be used for cracking: uppercase letters, lowercase letters, numbers and symbols. However, these are the most common:
- Three of four complexity types as it is the Microsoft Windows default
- Four of four complexity types as it includes every possible character combination on a US keyboard
Refer to the video example of using the new cloud capabilities on a “complex” encrypted eight-character password from a standard Windows Active Directory deployment. In this demonstration, we use only brute force techniques and no dictionary list (which is likely faster). Specifically, the second brute force type above (all possible characters) is used.
As you saw, we moved from nothing to cracked password in under three minutes. Any eight-character password would have been cracked in no more than eight hours and cost at most $62.59. As you can imagine, if an organisation only requires three of the four complexity requirements, the number of possible combinations drops dramatically and it can cost as little as $2.45 to go through every uppercase, lowercase and number combination.
The haveibeenpwned.com application maintains a collection of many major password breaches and their associated hash values. Most popularly, the application allows users to search for their own passwords to determine if they’ve been included in a data breach. We downloaded the entire haveibeenpwned.com password list in the same hash format as standard corporate Active Directory environments (NTLM) and selected a ~1% sample or 6.6 million passwords.
Using this sample, within ten minutes, 4 million (61%) of the 6.6 million selected passwords cracked using the same system as above. Within an hour, 4.7 million (71%) passwords cracked. A short video version of this example can be seen on the left.