The majority of passwords can be easily guessed or cracked by hackers, new research shows, prompting renewed calls from security experts to bolster password security practices.
In a study conducted by Kaspersky, the security firm analyzed 193 million compromised passwords available on the dark web and the results of the investigation indicated 45% of the passwords could be guessed by hackers within a minute.
The study calculated that hackers armed with a high-performance laptop CPU would be able to brute force an eight-character password composed of lowercase letters and digits in 7 minutes.
Only 23% of the analyzed passwords met the requirements to be classified as resistant, meaning they would take an attacker over a year to compromise on average.
Over half (57%) of the examined passwords contained a word from the dictionary, which experts agree significantly reduces a passwords’ strength.
Furthermore, just 14% of passwords contained ‘signs’ of a strong, difficult-to-crack combination, which would include both uppercase and lowercase letters as well as numbers, and symbols.
Speaking to ITPro, Mark Lomas, technical architect at technology services provider Probrand, said passwords have been the Achilles heel in many enterprises’ security posture, and are one of the top targets for threat actors looking to save time gaining initial access.
“Passwords have long been the weak link in security. It's often said that in many successful attacks, criminals don't 'hack' in, they just log in. They do so by gaining the password using a variety of techniques,” he explained.
“These could include phishing to trick someone into handing over a password, stealing credentials if someone has used the same password in multiple places which might have then leaked onto the dark web, for example, or simply by using brute-force attacks.”
Increasing password complexity makes them harder to manage
Chris Hauk, consumer privacy advocate at Pixel Privacy, told ITPro businesses need to ensure they are educating their staff on how to create unique and secure passwords, outlining his criteria for a robust password.
“Passwords should be lengthy and should at a minimum be 12 characters or more and should be made up of a mix of uppercase and lowercase letters, symbols, and numbers," he explained.
“Never use guessable passwords, like pet names, birthdays, parents' maiden names, birthdays, or anything else that could be easily determined. Passphrases (long strings of words or sentences) make passwords both strong and memorable.”
While creating more complex passwords is advised, this does have certain downsides, according to Joel Rennich, VP of Product Strategy at JumpCloud.
Speaking to ITPro, Rennich noted that increasing password complexity makes them far harder to remember, and sometimes encourages users to dumb them down again to make them easier to recall when logging in.
"As the number and complexity of passwords increases, they become harder for users to remember,” he said. “And while length and complexity requirements align with many organizations’ best practices, too many long passwords could drive users to resort to unsecure methods for remembering them or re-use the same password across multiple business accounts.”
The solution, according to Rennich, as well as Hauk, is using a password manager that allows users to use unique, complex passwords across a wide range of accounts without the fear of forgetting them and having to go through tiresome password reset processes.
“To begin with, password managers relieve users of the burden of memorizing passwords and increase the IT department’s control and visibility over users’ passwords and their use,” Rennich argued.
“Password managers allow businesses to enforce password creation rules (including stronger passwords that do not need to be remembered), send update reminders, and safely share and manage access to the right resources and applications.”
Stronger passwords aren’t enough in the modern threat landscape
Using more complex passwords or credential management tools isn’t the only way to prevent compromise, however. Increasingly, organizations globally are adopting passphrases, according to Rick Jones, CEO and co-founder of DigitalXRAID.
Jones told ITPro that even eight-character passwords are still susceptible to passwords, and called for a more comprehensive industry shift toward passphrases.
“Statistics show that an eight character password hash can be cracked in a matter of minutes by a password cracking rig, while an 18-character password takes far longer. This dramatic increase should be reason enough to switch to passphrases rather than passwords,” he said.
Probrand’s Lomas stated that due to the damage they can cause if they fall into the wrong hands, many security vendors have been trying to transition away entirely from the login methods that can be stolen.
“Vendors have been working to move away from passwords entirely, and towards solutions that rely on login protection factors that can't be stolen or phished. Various solutions have been pushed forward, but we're starting to finally see the emergence of some standards around this,” he explained.
“Solutions like passkeys for example, are beginning to enter use with online services. In the corporate space, solutions like physical tokens have already been established around standards like FIDO2 WebAuthN.”
Additional security layers such as multi-factor authentication (MFA) are also essential for adequate identity security, according to Raj Samani, SVP and chief scientist at Rapid 7.
“We’ve seen with recent breaches that password leaks are rife. As a result, even with good password hygiene, we need to go one step further,” he said. “Multi-factor authentication (MFA) is vital and with 41% of incidents due to missing or unenforced MFA, for many is the biggest security accomplishment which can be made if not already implemented. Implementing this solution in tandem with basic password hygiene can greatly improve an organization’s security posture.”
