Dictionaries define a password as a secret word or expression which must be used to gain entry. It’s hard to fault this definition, and yet computer users are using the same old passwords year after year: ‘Password1’, ‘Hello123’, and plain old ‘password’. Sound familiar? Not much of a secret then…
Using hashed data collected in two years’ worth of penetration tests, Trustwave, an American infosecurity company, cracked over 50% of business passwords in just a few minutes. After 31 days they had cracked 92% of them. The equipment used was nothing extraordinary, but they did use a graphics processing unit (GPU) rather than a traditional central processing unit (CPU); a GPU can perform billions more calculations per second than a similar-priced CPU. What does this mean for businesses? It means a high-probability risk of being hacked. Hackers rely on weaknesses to gain unauthorised entry to networks and, once in, can cause costly mayhem, both financial and reputational. Weak passwords have been identified as the primary cause of online accounts being hacked.
Misconceptions about password strength
In accordance with widespread business policy, passwords are typically 8 characters long (because that’s the stated minimum) and, although many require the inclusion of numbers, upper case and lower case letters, and special characters, these calls for added complexity don’t always translate into strong passwords.
These complex passwords may thwart the colleague sitting next to you (or the passer-by looking over your shoulder), but they’re not really who you’re up against; it’s hackers with their automated tools. In their study, Trustwave point out that, although many users assume that using complex combinations make a password more secure, it’s only by increasing the number of characters in the password that the cracking time is dramatically raised. For example, automated tools find it far easier to crack relatively short, but outwardly very complex, passwords like ‘N^a&$1n’ compared to longer phrases like ‘GoodLuckGuessingThisPassword’.
Ironically, IT administrators who force complexity into short passwords may, in fact, be introducing weakness by unwittingly causing users to create predictable password patterns, usually comprising a single word and tacking on the minimum required numbers and specials.
Similarly, the practice of insisting on regular changes to passwords has been shown to encourage increasingly weaker ones. Users end up creating passwords that are more easily cracked because they simply increment an embedded number, or add the next-in-line special character, or simply revert to using ever more memorable – i.e. common – keywords as the basis for the password.
Creating strong passwords
Any initiative to establish strong business passwords must begin with understanding what is behind the prevalence of passwords like ‘Password1’, ‘Hello123’ and ‘password’. Is it laziness, or ignorance, or wilful arrogance? Or is it because users think that ‘the IT people’ are really in charge of security and it’s not their problem? Sadly, it’s all of the above, but the good news is that the situation can be alleviated using some very simple measures:
- Educate employees about the business risks associated with weak passwords: if it affects the business, it affects them.
- Teach them how to create strong passwords: the emphasis should be on unique, memorable – even funny – phrases that have greater length rather than greater complexity. Passwords using a proper name (people, pets, places) as a basis are easily cracked and should be avoided.
- Ask employees to test the strength of their passwords. Strength meters are good at highlighting weak approaches to password structure and, if existing systems can’t be redesigned to allow long phrases, they’re a great tool for testing short words with or without added specials.
- Don’t impose regular resets of passwords.
- Use a password manager, especially if users are expected to remember multiple passwords.
Whilst every business owner needs to take risks, tolerating weak passwords isn’t one of them; policies for password creation and storage should be an important consideration on every business agenda. The bottom line? ‘GetYourPasswordsSortedRightNow!’