Mixing upper and lower case letters, numbers and special characters doesn’t make passwords any harder for hackers to crack, only increasing the number of characters does, according to new research from Trustwave.
The security firm purpose built two machines at a cost of almost $5,000 with the aim of cracking a sample of 626,718 hashed passwords collected during thousands of penetration tests in 2013 and 2014.
“The majority of the sample came from Active Directory environments and included Windows LAN Manager (LM)- and NT LAN Manager (NTLM)-based passwords,” the firm wrote in its 2014 Business Password Analysis report.
“We recovered more than half of the passwords within just the first few minutes. We eventually cracked 576,533 or almost 92 percent of the sample within a period of 31 days.”
The report noted that, while mixing different characters and numbers might make it harder for humans to crack your password, “it does not make recovering the password any more resource-intensive for password-cracking tools”.
“Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password,” it said.
Trustwave said that an automated tool can crack an eight-character password randomly comprised of all four character types far quicker than a 28-character password consisting of only upper and lower case letters.
It’s the difference between 3.75 days and 17.74 years, according to the firm.
“A brute-force attack on that collection involves calculating the hashes for potential passwords and comparing those hashes to the password hashes the attacker wants to crack,” it explained.
“If the tool identifies a match, a password is cracked.” The firm urged companies to “educate users on the value of choosing longer pass-phrases instead of simple, predicable, easy-to-crack passwords”.
It added that two factor authentication should be employed for network access.
“IT administrators can do their part to hinder password-cracking attacks by using unique, random salts when hashing stored passwords whereby a piece of unique, random piece of data is combined with each password before the hash is calculated,” the report concluded.
“Secure password storage combined with well-educated users and a properly designed policy for user password choice can play a vital role in helping prevent a breach.”