Who said password cracking is dead?

In a recent conference, I was privy to a insightful session on password cracking. No, not pass-the-hash, pass-the-ticket, token manipulation, or other high-tech techniques. Rather, just simple brute force hacks, with some twists. It reinforced what I have been teaching for years, which is that our passwords are nearly worthless. Let me explain. Most organizations allow users to use weak and pathetic passwords. A typical password policy looks like this:

• Minimum password length: 6 to 10 characters
• Types of characters in the password: At least 3 or the 4 required (a, A, 1, $)

One would think, since that is the default from Microsoft, that it would be a good recipe for a strong password. Unfortunately, it is not. Honestly, even if you make the password longer, say 13 to 14 characters, and force all four character types, you still have a weak password. Here's why these passwords are weak:

• Passwords are based on words, using character replacement.
• Passwords increment, i.e. Pa$$word1, Pa$$word2, Pa$$word3, etc.
• A password with less than 15 characters can use LM and NTLM hashes, which are easily cracked.

With some logic, simple decryptions of human behavior, and hardware, nearly any password can be cracked in a short period of time. How short? Well, according to NTT, easily within the maximum password age! So, what are we to do? Ideally, we should be using longer, stronger passwords. Ideally, we should be using multi-factor authentication. Ideally, we should ensure we don’t share our passwords. Ideally, we should not use the same password for more than one account. There is no silver bullet, but with a little effort and education, we can improve our passwords and our security.