Think Your Passwords are Strong Enough? Think Again.

By Alex Kah ·

However, many third-party applications such as homegrown web applications and mobile applications still only require a single sign-on, leaving organizations vulnerable. Although most administrative passwords are complicated and strong, all it takes is one weak password created by an employee for an attacker to crack and access a corporate network.

It’s simple math and, frankly, common sense that the more complicated the password the more difficult it will be for an attacker to figure out. For example, if you use a password with only six lowercase letters, there are 308,915,776 possible combinations. Meanwhile, an eight character password using a combination of lowercase and uppercase letters, digits, and special characters equals 6,095,689,385,410,820 possible sequences. (These numbers were obtained by doing simple multiplications using 26 letters in the alphabet, 10 possible digit characters, and 32 possible special characters).

While 300 million combinations may sound like more than enough to protect your network, a simple test will show otherwise. Recently, I leveraged open source software called oclHashcat-plus which used the ATI 6990 GPU (Graphical Processing Unit) installed in the server. This allows you to crack password hashes at a much higher rate of speed than you can with normal central processing units (CPU’s). GPU’s have many more cores than CPU’s and can process more calculations per second. Here were the results I found on a few commonly used hashes:

  • sha512crypt – used by newer Linux distributions: 15,000 combinations per second.
  • Oracle 10g – used by Oracle applications: 250 million combinations per second.
  • Oracle 11g – used by Oracle applications: 3.6 billion combinations per second.
  • Microsoft SQL – used by the Microsoft database MSSQL: 3.4 billion combinations per second.
  • DES Unix – used by various Unix based systems: 7.2 million combinations per second.
  • MD5 Message-Digest Algorithm – used by applications such as Wordpress websites and many homegrown applications: 10 billion combinations per second.
  • Joomla – used by the Joomla application which is a common content management system: 10 billion combinations per second.
  • NTLM – used by Microsoft Windows devices: 20 billion combinations per second.
Referencing the above numbers it would only take six hours to crack the commonly used MD5 Message-Digest Algorithm hash that is eight characters in length and is using lowercase, uppercase, and digits for the possible character types. However on a newer Linux/Unix system that stores passwords using the sha512crypt hash and the same lowercase, uppercase, and digit character set, it would take more than 450 years to try every combination. From this, we can conclude that using the latest technologies make it harder for would-be attackers to crack your password hashes. In fact, the United States Computer Emergency Readiness Team (US-CERT), who’s mission is to improve the nation's cybersecurity posture,now says that MD5 should be considered cryptographically broken and unsuitable for further use. Meanwhile, the National Institute of Standards and Technology (NIST) notes that most U.S. government applications now require the SHA-2 family of hash functions, which were designed by the National Security Agency (NSA) and have proven to be more difficult to crack.

Additionally, enforcing a strong password policy where passwords are required to include all four standard character types – lowercase, uppercase, digits, and special characters – will make it much harder for attackers to hack into a network. Here are some best practices I’ve developed over the years for organizations to consider when educating employees on password management:

  • Use randomly generated passwords whenever possible. Because there are many available, be sure to use one that allows you to include each character set (upper/lower/special/digits) in any combination and to set the length from six to at least 20 characters.
  • Use more than 15 characters.
  • Include at least one of each type of character – uppercase, lowercase, special characters, and digits.
  • Do not use keyboard patterns, words from the dictionary, phone numbers, dates, or common phrases. Those are the first combinations that would-be attackers will attempt when guessing your password.
  • Do not use the same password for multiple applications, websites, etc. Attackers will build a profile of the person they are attacking. If they are able to gain access to one site the person uses then they could easily guess the person’s passwords if similar ones are used for multiple sites.
  • Do not write any password on paper. Thieves will search through trash bins and dumpsters looking for password information so they can login to accounts remotely. Instead, use some form of encrypted file or password management software that is protected by a password. Make sure the password used to access the encrypted file and/or password management software is random, unique, and as long as possible.
  • When logging onto business applications and systems outside of the office, be aware of your surroundings. Passwords can be stolen simply by shoulder surfing.
These are just a few of the best practices on password management that I recommend organizations share with all their employees, in addition to using the most current technologies that make it difficult for attackers to crack password hashes. But remember, identity thieves and online scammers are mixing up their approaches and developing new ways of cracking codes every day. It’s important to stay current on the latest security trends and threats to keep passwords, and thus sensitive information, safe and secure.

Alex Kah

Senior Security Analyst

Alex Kah works for Optiv’s MSS organization responding to security incidents, strengthening MSS’s security posture and assisting with other internal technology additions and enhancements.