Longer passwords aren’t safe from intensive cracking efforts

88% of organizations still use passwords as their primary method of authentication, according to Specops Software.

The report found that 31.1 million breached passwords had over 16 characters, showing longer passwords aren’t safe from being cracked. 40,000 admin portal accounts were found to be using ‘admin’ as a password, and only 50% of organizations scan for compromised passwords more than once a month.

123456 was the most common compromised password in KrakenLab’s new list of breached cloud application credentials. Simple passwords like Pass@123 and P@ssw0rd that would pass Active Directory’s basic built-in rules were also prevalent, highlighting the increased risk of password reuse for organizations not implementing strong password controls.

A considerable amount of cybercrime still focuses on passwords: stealing credentials, selling them on, and using them as an initial access point for breaching organizations. Verizon estimates stolen credentials are involved in 44.7% of all data breaches, and we know there’s a thriving underground marketplace for stolen data and credentials.

Three ways hackers exploit weak passwords

Dictionary attack

Hackers use predefined ‘dictionary lists’ of likely possibilities to guess passwords or decryption keys. These could range from frequently used passwords and common phrases to common terms in specific industries, exploiting the human tendency to opt for simplicity and familiarity when creating passwords.

Hackers use social media platforms to gather intel about specific users and their organizations, gaining insights into the potential usernames and passwords they may choose. Of course, many end users will add at least a small amount of variation to these terms, which is where brute force techniques come in.

Brute force attack

Brute force attacks use software to attempt all possible character combinations until the correct password or decryption key is found. While this might seem time-consuming, it can be highly effective against shorter or less complex passwords – especially when given a head start by using common base terms found in dictionary lists. Combining techniques in this way is known as a hybrid attack.

For example, “password” could be the base term from a dictionary list. A brute force attack will try all subsequent variations such as “password, Password, Password1, Password!” and so on. This takes advantages of the common variations people make to weak base terms in order to meet their organization’s complexity requirements.

Mask attack

A mask attack is a form of brute forcing, where attackers know elements of common password constructions and can reduce the number of guesses they’ll need to get it right. For example, an attacker might know many passwords are eight characters, start with a capital letter, and end with a number of punctuation character, like “Welcome1!”. So, they might only try combinations that match this pattern, reducing the number of passwords to attempt.

Alternatively, they might know a specific company has a poor policy such as adding the current month and year to the end of passwords when rotating them. Having any sort of definitive information about the makeup of a password can greatly speed up a brute force at- tack.

The threat posed by keyboard walks in password security

At first glance, “asdfghjkl” might seem like a random base term for a password. However, this is known as a keyboard walk, where characters are next to each other on a keyboard. People choose these ‘finger walks’ as passwords as they’re fast to type and easy to remember when looking at a keyboard.

While the output isn’t a real word, hackers know to include these common patterns in their dictionary and brute force attacks.

The most commonly used keyboard walk pattern was “Qwerty,” which appeared over 1 million times in Specops Software’s list of compromised passwords. This was followed by variations like “qwert” and “werty” as well as patterns specific to different keyboard layouts such as “Azerty”. It serves as a reminder to organizations that it’s key to block all kinds of predictable password behavior – not just common words.

Every account matters

Skilled hackers can elevate privileges from a regular user account, so all accounts are worth protecting. Still, existing admin accounts already hold the so-called “keys to the kingdom” due to the level of access they hold without any need for privilege escalation.

Compromising an admin account is a dream scenario for a hacker, as they’ll have more options after gaining initial access to an organization.

Privileged users are golden targets for hackers. Strong, unique passwords are needed for every account, but especially those with access to sensitive resources. It’s important to have a password policy that blocks end users from creating weak passwords. But even strong passwords can become compromised through data breaches, phishing, and password reuse.

Longer passwords are recommended as they’re harder to guess and crack through brute force and hybrid dictionary attacks.

“The password is still a problem for IT teams and a weak point in many organization’s cybersecurity strategies,” said Darren James, Senior Product Manager at Specops Software.