While experts have agreed for decades that passwords are a weak method of authentication, their convenience and low cost has kept them around. Until we stop using passwords or start using multi-factor authentication (for everything), a need for stronger passwords exists. And as long as people create their own passwords that must be memorized, those passwords will remain weak and guessable. This blog/article/rant will cover a brief background of password cracking as well as the justification for SynerComm’s 14-character password recommendation.
Authentication is the process of verifying the identify of a user or process, and a password is the only secret “factor” used in authentication. For the authentication process to be trusted, it must positively identify the account owner and thwart all other attempts. This is critical, because access and privileges are granted based on the user’s role. Considering how easily passwords can be shared, most have already concluded that passwords are an insufficient means of authenticating people. We must also consider that people must memorize their password and that they often need passwords on dozens if not hundreds of systems. Because of this, humans create weak, easily guessed, and often reused passwords.
Over the years, several password controls have emerged to help strengthen password security. This includes minimum password length, complexity, preventing reuse, and a reoccurring requirement to create new passwords. While it is a mathematical fact that longer passwords and a larger key space (more possible characters) do indeed create stronger passwords, we now know that regularly changing one’s password provides no additional security control. In fact, forcing users to regularly create new and complex passwords weakens security. It forces users to create guessable patterns or simply write them down. OK, I will stop here, we'll save the ridiculousness of password aging for a future blog.
So why is 14 characters the ideal or best recommended password length? It is not. It is merely a minimal length; we still prefer to see people using even longer passwords (or doing better than passwords in the first place). SynerComm recommends a 14-character minimum for several reasons. First, 14-character passwords are very difficult to crack. Most passwords containing 9 characters or less can be brute-force guessed in under 1 day with a modern password cracking machine. Passwords with 10-12 characters and even 13-14 characters can still be easily guessed if they are based on a word and a 4-digit number. (Consider Summer2018! or your child’s name and birthday.) Next, and perhaps more importantly, 14-character minimums will prevent bad password habits and promote good ones. When done with security awareness training, users can be taught to create and use passphrases instead of passwords. Passphrases can be sentences, combinations of words, etc. that can be meaningful and easy to remember. Finally, 14 characters is the largest “Minimal Password Length” currently allowed by Microsoft Windows. While Windows supports very long passwords, it is not simple to enforce a minimum greater than 14 characters (PSOs can be used to increase this in Windows 2008 and above, and registry hacks from anything older, but it can be a tedious process and introduces variables into the management and troubleshooting of your environment).
The remainder of this article provides facts and evidence to support our recommendations.
SynerComm collected over 180,000 NTLM password hashes from various breached domain controllers and attempted to crack them using dictionary, brute-force, and cryptanalysis attacks. The chart below shows the password lengths of the over 93,000 passwords cracked. It is interesting to find passwords that fall drastically below the usual minimum length of eight characters. Although few, it is also worth noting that 20, 21 and 22-character passwords (along with one 27-character password) were cracked in these analyses.
Password Length - Number of Cracked Passwords |
1 = 3 (0.0%) |
2 = 2 (0.0%) |
3 = 137 (0.15%) |
4 = 27 (0.03%) |
5 = 405 (0.43%) |
6 = 1527 (1.63%) |
7 = 3827 (4.08%) |
8 = 26191 (27.95%) |
9 = 23677 (25.27%) |
10 = 17564 (18.74%) |
11 = 9098 (9.71%) |
12 = 6267 (6.69%) |
13 = 2915 (3.11%) |
14 = 1063 (1.13%) |
15 = 577 (0.62%) |
16 = 276 (0.29%) |
17 = 81 (0.09%) |
18 = 39 (0.04%) |
19 = 13 (0.01%) |
20 = 10 (0.01%) |
21 = 1 (0.0%) |
22 = 4 (0.0%) |
23 = 0 (0.0%) |
24 = 0 (0.0%) |
25 = 0 (0.0%) |
26 = 1 (0.0%) |
27 = 1 (0.0%) |
*Note: The password "acme" was used to replace specific company names. For example, if the password "synercomm123$" would have been found in a SynerComm password dump it would have been replaced with "acme123$". This change occurred only to serve the top 10 password and base word tables. Analyses of length and masks were performed without this change.
Top 10 passwords |
Password1 = 543 (0.58%) |
Summer2018 = 424 (0.45%) |
Summer18 = 395 (0.42%) |
acme80 = 368 (0.39%) |
Fall2018 = 362 (0.39%) |
Good2go = 350 (0.37%) |
yoxvq = 345 (0.37%) |
Gr8team = 338 (0.36%) |
Today#08 = 308 (0.33%) |
Spring2018 = 219 (0.23%) |
Top 10 base words |
password = 1993 (2.13%) |
summer = 1663 (1.77%) |
acme = 1619 (1.73%) |
spring = 734 (0.78%) |
fall = 706 (0.75%) |
welcome = 652 (0.7%) |
winter = 577 (0.62%) |
w0rdpass = 562 (0.6%) |
good2go = 351 (0.37%) |
yoxvq = 345 (0.37%) |
Last 4 digits (Top 10) |
2018 = 3037 (3.24%) |
2017 = 821 (0.88%) |
1234 = 733 (0.78%) |
2016 = 659 (0.7%) |
2015 = 588 (0.63%) |
2014 = 561 (0.6%) |
2013 = 435 (0.46%) |
2012 = 358 (0.38%) |
2010 = 296 (0.32%) |
2019 = 286 (0.31%) |
Masks (Top 10) |
?u?l?l?l?l?l?d?d (6315) (8 char) |
?u?l?l?l?l?l?d?d?d?d (4473) (10 char) |
?u?l?l?l?l?l?l?d?d (4021) (9 char) |
?u?l?l?l?d?d?d?d (3328) (8 char) |
?u?l?l?l?l?d?d?d?d (2985) (9 char) |
?u?l?l?l?l?l?l?l?d?d (2742) (10 char) |
?u?l?l?l?l?l?l?d (2601) (8 char) |
?u?l?l?l?l?l?l?l?d (2371) (9 char) |
?u?l?l?l?l?l?l?d?d?d?d (1794) (11 char) |
?u?d?d?d?d?d?d?d?d (1756) (9 char) |
When performing our own password cracking, SynerComm uses a modern password cracker built with 8 powerful GPUs. Typically used by gamers to create realistic three-dimensional worlds, these graphics cards are remarkably efficient at performing the mathematical calculations required to defeat password hashing algorithms. Most 8-character passwords will crack in 4.5 hours or less. While the same attack against a 9-character password could take up to 18 days to complete, we can reduce the key space (possible characters used in passwords) and complete 10-11 character attacks in just 1-2 days or less.
We created an infographic on this if you're more visual like me.
*For shared accounts (root, admin, etc.), restrict the number of people who have access to the password. Change these passwords anytime someone who could know the password leaves the organization.
~Brian Judd (@njoyzrd) with password analysis by Chad Finkenbiner