In fact, the report explains that “weak or default passwords contributed to a third of data comprises in 2013”.
Taking this into account, Trustwave wanted to find out how easily they could crack 626,718 “hashed” passwords that had been “collected during thousands of network penetration tests”.
Astonishingly, and somewhat worryingly, they managed to recover more than half within a couple of minutes! Of course, this was due to the dreaded ‘Password1’, which still reigns supreme as most used password. It was closely followed by ‘Hello123’ and ‘password’.
And, within a period of 31 days, they cracked 92 per cent of passwords. They did this using a machine composed of an Intel Core i7 Ivy Bridge Quad Core Processor, 16 gigabytes of RAM and two AMD Radeon 7970 graphics cards, and a second machine made up of an AMD FX-8320 8 Core Processor, 16 gigabytes of RAM and four AMD Radeon 7970 graphics cards.
“Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure,” Trustwave suggests. “The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.”
Furthermore, the report highlights that while ‘N^a&$1nG’ could be recovered in 3.75 days using one AMD R290X GPU, ‘GoodLuckGuessingThisPassword’ will take 17.74 years to crack using the same GPU.
For some reason, however, people simply don’t care to create passwords longer than eight characters. The longest passwords were typically found in business environments where it is often policy to have a minimum of eight characters. But employees rarely go above the minimum.
What’s more, hackers now find it easy to predict password composition. Most passwords will merely consist of lowercase letters and numbers, followed by lowercase, one uppercase (which is usually the beginning letter), and numbers.
This just comes to show that businesses need to implement and enforce stronger authentication processes. This could come in the form of two-factor authentication or by educating users on the value of choosing longer passwords.
Related: 50 most-used passwords revealed
Share this story