Senior Security Analyst
Alex Kah works for Optiv’s MSS organization responding to security incidents, strengthening MSS’s security posture and assisting with other internal technology additions and enhancements.
Think Your Passwords are Strong Enough? Think Again.
However, many third-party applications such as homegrown web applications and mobile applications still only require a single sign-on, leaving organizations vulnerable. Although most administrative passwords are complicated and strong, all it takes is one weak password created by an employee for an attacker to crack and access a corporate network.
It’s simple math and, frankly, common sense that the more complicated the password the more difficult it will be for an attacker to figure out. For example, if you use a password with only six lowercase letters, there are 308,915,776 possible combinations. Meanwhile, an eight character password using a combination of lowercase and uppercase letters, digits, and special characters equals 6,095,689,385,410,820 possible sequences. (These numbers were obtained by doing simple multiplications using 26 letters in the alphabet, 10 possible digit characters, and 32 possible special characters).
While 300 million combinations may sound like more than enough to protect your network, a simple test will show otherwise. Recently, I leveraged open source software called oclHashcat-plus which used the ATI 6990 GPU (Graphical Processing Unit) installed in the server. This allows you to crack password hashes at a much higher rate of speed than you can with normal central processing units (CPU’s). GPU’s have many more cores than CPU’s and can process more calculations per second. Here were the results I found on a few commonly used hashes:
- sha512crypt – used by newer Linux distributions: 15,000 combinations per second.
- Oracle 10g – used by Oracle applications: 250 million combinations per second.
- Oracle 11g – used by Oracle applications: 3.6 billion combinations per second.
- Microsoft SQL – used by the Microsoft database MSSQL: 3.4 billion combinations per second.
- DES Unix – used by various Unix based systems: 7.2 million combinations per second.
- MD5 Message-Digest Algorithm – used by applications such as Wordpress websites and many homegrown applications: 10 billion combinations per second.
- Joomla – used by the Joomla application which is a common content management system: 10 billion combinations per second.
- NTLM – used by Microsoft Windows devices: 20 billion combinations per second.
Additionally, enforcing a strong password policy where passwords are required to include all four standard character types – lowercase, uppercase, digits, and special characters – will make it much harder for attackers to hack into a network. Here are some best practices I’ve developed over the years for organizations to consider when educating employees on password management:
- Use randomly generated passwords whenever possible. Because there are many available, be sure to use one that allows you to include each character set (upper/lower/special/digits) in any combination and to set the length from six to at least 20 characters.
- Use more than 15 characters.
- Include at least one of each type of character – uppercase, lowercase, special characters, and digits.
- Do not use keyboard patterns, words from the dictionary, phone numbers, dates, or common phrases. Those are the first combinations that would-be attackers will attempt when guessing your password.
- Do not use the same password for multiple applications, websites, etc. Attackers will build a profile of the person they are attacking. If they are able to gain access to one site the person uses then they could easily guess the person’s passwords if similar ones are used for multiple sites.
- Do not write any password on paper. Thieves will search through trash bins and dumpsters looking for password information so they can login to accounts remotely. Instead, use some form of encrypted file or password management software that is protected by a password. Make sure the password used to access the encrypted file and/or password management software is random, unique, and as long as possible.
- When logging onto business applications and systems outside of the office, be aware of your surroundings. Passwords can be stolen simply by shoulder surfing.