The strength of passwords as an authentication control is more important than ever before. Cyber-criminals are increasingly using automated password cracking tools to identify passwords in a matter of seconds. Our 2015 Trustwave Global Security Report revealed that out of a password sample size of 499,556 hashed passwords, our experts cracked 51 percent of them within 24 hours and 88 percent within two weeks.
There are many factors related to the high number of passwords being cracked in such a short period of time such as organisations repeatedly using the same, easy-to-guess passwords. Our experts found that “Password1” remained the top password being used amongst businesses in 2014. This was primarily attributed to network administrators using default or simplistic passwords for new user accounts, and the lack of enforcement of password changes for first-time logins being applied by mechanisms such as GPOs (Group Policy Object). Our 2015 Trustwave Global Security Report reveals that it can only take one day to crack an eight-character password in most instances, whereas it takes an average of 591 days to crack a 10 character password. With this in mind, it is recommended that policies should be put in place that require employees to change their passwords on a regular basis, for example every 60 days. Furthermore, administrators should enforce character complexity rules and length requirements of 10 characters or more for all password policies.
Despite the fact that weak passwords can lead to a data breach, they are expected to remain as an authentication control for the foreseeable future. In order to make passwords stronger and increase the security of businesses’ sensitive information, employees must be educated as to what represents a strong password.
Beyond using strong passwords, implementing two-factor authentication also helps strengthen security. Two-factor authentication combines “something you possess”, like a code sent via text message, with “something you know”, a password. This makes it more difficult for attackers to gain control of an account because they would need to compromise both modes of authentication. Moreover, should a single account become compromised by an attacker, two-factor authentication would thwart attempts to progress the compromised networks, a password reuse would become a negated (or at least mitigated) attack vector due to the second factor requirement.