While experts have agreed for decades that passwords are a weak method of authentication, their convenience and low cost has kept them around. Until we stop using passwords or start using multi-factor authentication (for everything), a need for stronger passwords exists. And as long as people create their own passwords that must be memorized, those passwords will remain weak and guessable. This blog/article/rant will cover a brief background of password cracking as well as the justification for SynerComm’s 14-character password recommendation.
First things first: What is a password?
Authentication is the process of verifying the identify of a user or process, and a password is the only secret “factor” used in authentication. For the authentication process to be trusted, it must positively identify the account owner and thwart all other attempts. This is critical, because access and privileges are granted based on the user’s role. Considering how easily passwords can be shared, most have already concluded that passwords are an insufficient means of authenticating people. We must also consider that people must memorize their password and that they often need passwords on dozens if not hundreds of systems. Because of this, humans create weak, easily guessed, and often reused passwords.
Over the years, several password controls have emerged to help strengthen password security. This includes minimum password length, complexity, preventing reuse, and a reoccurring requirement to create new passwords. While it is a mathematical fact that longer passwords and a larger key space (more possible characters) do indeed create stronger passwords, we now know that regularly changing one’s password provides no additional security control. In fact, forcing users to regularly create new and complex passwords weakens security. It forces users to create guessable patterns or simply write them down. OK, I will stop here, we’ll save the ridiculousness of password aging for a future blog.
So Why 14 Characters?
So why is 14 characters the ideal or best recommended password length? It is not. It is merely a minimal length; we still prefer to see people using even longer passwords (or doing better than passwords in the first place). SynerComm recommends a 14-character minimum for several reasons. First, 14-character passwords are very difficult to crack. Most passwords containing 9 characters or less can be brute-force guessed in under 1 day with a modern password cracking machine. Passwords with 10-12 characters and even 13-14 characters can still be easily guessed if they are based on a word and a 4-digit number. (Consider Summer2018! or your child’s name and birthday.) Next, and perhaps more importantly, 14-character minimums will prevent bad password habits and promote good ones. When done with security awareness training, users can be taught to create and use passphrases instead of passwords. Passphrases can be sentences, combinations of words, etc. that can be meaningful and easy to remember. Finally, 14 characters is the largest “Minimal Password Length” currently allowed by Microsoft Windows. While Windows supports very long passwords, it is not simple to enforce a minimum greater than 14 characters (PSOs can be used to increase this in Windows 2008 and above, and registry hacks from anything older, but it can be a tedious process and introduces variables into the management and troubleshooting of your environment).
The remainder of this article provides facts and evidence to support our recommendations.
Analysis of Password Length
SynerComm collected over 180,000 NTLM password hashes from various breached domain controllers and attempted to crack them using dictionary, brute-force, and cryptanalysis attacks. The chart below shows the password lengths of the over 93,000 passwords cracked. It is interesting to find passwords that fall drastically below the usual minimum length of eight characters. Although few, it is also worth noting that 20, 21 and 22-character passwords (along with one 27-character password) were cracked in these analyses.
Passwords Cracked = 93,706. Total unique entries of those passwords cracked = 68,161
Passwords of 9 or fewer characters account for 50% of those cracked; 12 or fewer, 75%
|Password Length – Number of Cracked Passwords|
|1 = 3 (0.0%)|
|2 = 2 (0.0%)|
|3 = 137 (0.15%)|
|4 = 27 (0.03%)|
|5 = 405 (0.43%)|
|6 = 1527 (1.63%)|
|7 = 3827 (4.08%)|
|8 = 26191 (27.95%)|
|9 = 23677 (25.27%)|
|10 = 17564 (18.74%)|
|11 = 9098 (9.71%)|
|12 = 6267 (6.69%)|
|13 = 2915 (3.11%)|
|14 = 1063 (1.13%)|
|15 = 577 (0.62%)|
|16 = 276 (0.29%)|
|17 = 81 (0.09%)|
|18 = 39 (0.04%)|
|19 = 13 (0.01%)|
|20 = 10 (0.01%)|
|21 = 1 (0.0%)|
|22 = 4 (0.0%)|
|23 = 0 (0.0%)|
|24 = 0 (0.0%)|
|25 = 0 (0.0%)|
|26 = 1 (0.0%)|
|27 = 1 (0.0%)|
Analysis of Password Composition
*Note: The password “acme” was used to replace specific company names. For example, if the password “synercomm123$” would have been found in a SynerComm password dump it would have been replaced with “acme123$”. This change occurred only to serve the top 10 password and base word tables. Analyses of length and masks were performed without this change.
|Top 10 passwords|
|Password1 = 543 (0.58%)|
|Summer2018 = 424 (0.45%)|
|Summer18 = 395 (0.42%)|
|acme80 = 368 (0.39%)|
|Fall2018 = 362 (0.39%)|
|Good2go = 350 (0.37%)|
|yoxvq = 345 (0.37%)|
|Gr8team = 338 (0.36%)|
|Today#08 = 308 (0.33%)|
|Spring2018 = 219 (0.23%)|
|Top 10 base words|
|password = 1993 (2.13%)|
|summer = 1663 (1.77%)|
|acme = 1619 (1.73%)|
|spring = 734 (0.78%)|
|fall = 706 (0.75%)|
|welcome = 652 (0.7%)|
|winter = 577 (0.62%)|
|w0rdpass = 562 (0.6%)|
|good2go = 351 (0.37%)|
|yoxvq = 345 (0.37%)|
|Last 4 digits (Top 10)|
|2018 = 3037 (3.24%)|
|2017 = 821 (0.88%)|
|1234 = 733 (0.78%)|
|2016 = 659 (0.7%)|
|2015 = 588 (0.63%)|
|2014 = 561 (0.6%)|
|2013 = 435 (0.46%)|
|2012 = 358 (0.38%)|
|2010 = 296 (0.32%)|
|2019 = 286 (0.31%)|
|Masks (Top 10)|
|?u?l?l?l?l?l?d?d (6315) (8 char)|
|?u?l?l?l?l?l?d?d?d?d (4473) (10 char)|
|?u?l?l?l?l?l?l?d?d (4021) (9 char)|
|?u?l?l?l?d?d?d?d (3328) (8 char)|
|?u?l?l?l?l?d?d?d?d (2985) (9 char)|
|?u?l?l?l?l?l?l?l?d?d (2742) (10 char)|
|?u?l?l?l?l?l?l?d (2601) (8 char)|
|?u?l?l?l?l?l?l?l?d (2371) (9 char)|
|?u?l?l?l?l?l?l?d?d?d?d (1794) (11 char)|
|?u?d?d?d?d?d?d?d?d (1756) (9 char)|
Password Hash Cracking Speeds
When performing our own password cracking, SynerComm uses a modern password cracker built with 8 powerful GPUs ( https://www.shellntel.com/blog/2019/2/19/how-to-build-a-2nd-8-gpu-password-cracker). Typically used by gamers to create realistic three-dimensional worlds, these graphics cards are remarkably efficient at performing the mathematical calculations required to defeat password hashing algorithms. The first screenshot below shows a brute-force guess of an 8-character password. It shows that most 8-character passwords will crack in 4.5 hours or less. While the same attack against a 9-character password could take up to 18 days to complete, we can reduce the key space (possible characters used in passwords) and complete 10-11 character attacks in just 1-2 days or less. The second screenshot shows an optimized character set mask attack against 11-character passwords. This attack completes in less than 8 hours and returns many poorly selected 11-character passwords.
Below is an optimized crack attempt for 11-character passwords using only common characters and format (e.g., beginning with an upper case letter or number):
Password Best Practices
- Do Not Share Your Password with Anyone!
- Do Not Store Passwords in Spreadsheets, Documents, or Email! Also avoid storing passwords in your browser (IE, Firefox, Chrome).
- Create passphrases instead of passwords. Long passwords are always stronger than short passwords. Passwords shorter than 10 characters can be easily and quickly cracked if their hashes become available to the attacker. SynerComm recommends enforcing at least a 12-character minimum for standard user accounts but suggests using a 14-character minimum to promote good password creation methods. Privileged accounts such as domain administrators should have even longer passwords.
- While password complexity is less critical with long (>=14 char) passwords, it still helps ensure a larger key space. Encourage users to use less common characters such as spaces, commas, and any other special character found on the keyboard. (Spaces can make an enormous difference!)
- Never reuse the same password on multiple accounts. While it is easier to remember 1 password than 100, our next best practice will provide a solution to that problem too. Dumps containing passwords from breaches are great starting places to guessing a user’s password.
- Use a password safe. Modern password managers can sync stored passwords between computers and mobile devices. By using a safe, most users only need to remember 2-3 passwords and the rest can be stored securely in a safe.
- When using a safe, it is best practice to allow the application to generate most passwords. This way you can create 15-20 character completely random passwords that you never need to know or memorize.
- Implement multi-factor authentication whenever possible. Passwords will always be a weak and vulnerable form of authentication. Using multi-factor greatly reduces the chances of a successful authentication attack. Multi-factor authentication should be used for ALL (no exceptions) remote access and should increasingly be considered for ALL privileged account access.
*For shared accounts (root, admin, etc.), restrict the number of people who have access to the password. Change these passwords anytime someone who could know the password leaves the organization.
~Brian Judd (@njoyzrd) with password analysis by Chad Finkenbiner