Secure Your Password

October 17, 2022

If cybercrime held a popularity contest, password attacks would win first place. Password attacks are a go-to tactic used by cybercriminals to gain access to sensitive data and networks by “cracking” or guessing user passwords and using these credentials to take data (data breach) from networks. Cybercrime is getting more sophisticated each day. The bad news is that cyberattack tactics do not have to be innovative or advanced to be effective. The good news is you can protect your data and stop a breach before it even starts by taking steps to make sure passwords are long and complex, something that everyday people can play a huge role in.



Why is creating strong passwords a challenge?

In a word, people. People make passwords weak as we are conditioned into choosing passwords that are easy to type or remember. The same goes for the patterns we use to create passwords. After conducting hundreds of password audits, we’ve found that there are always common trends, such as capitalizing the first character of your password and either ending with an exclamation mark or the numbers one or nine — not to mention the reuse of passwords. According to PC Mag, 70% of people admit they use the same password for more than one account. As a result, they could be more susceptible to compromise if a third-party application were to be breached. Google shares that 43% of adults have shared their password with someone, and only 45% of adults would change a password after a breach.



How long does it take to crack a password?

Technology has changed over the last decade as far as password recovery. With the advent of artificial intelligence (AI) and machine learning, powerful graphics processing units are available among all the main cloud providers as well as specialized AI learning farms. There is also a tactic called password brute-force attack, an incremental permutation of every result. For example, if you wanted to brute force a four-digit number, you would try every number from zero to 9,999. This means you would need to test 10,000 candidates to say a brute-force attack of four digits was exhausted.


One caveat to a brute-force attack is a dictionary-based password attack. Most attacks use "dictionaries" or a list of every word in a dictionary to quickly identify passwords and what’s called "mangling rules," which is modifying or mangling words to produce other likely passwords (e.g., turning an "o" into "0" which far exceeds cracking times based on brute forcing each key space). And in using common words, these passwords might not even require a brute-force or dictionary-based password attack.


Seasons, years or easily guessable passwords such as ‘Winter2022!’ are commonly used. ‘Winter2022!’ is 11 characters long. In terms of guessing, each key space would take a long time. However, using common passwords can be recovered instantly. So, with the aid of technology, how long does it take to crack a password? The below infographic illustrates just how little time it can take to crack a password purely on brute forcing each key space, with the related cost to an organization.





Password best practices

According to Ponemon Institute, 75% of people said they don’t know how to create a secure password. And good password hygiene (strong passwords) doesn’t just apply to consumers. According to the World Economic Forum 2022 Global Risks Report, 95% of all cybersecurity issues can be traced to human error. Encouraging employees to use strong passwords is also important. The following are a few key best practices that everyday people and organizations can implement to enhance their own cybersecurity, creating a more secure world for everyone:


  • Create a long and complex password by using lowercase and uppercase characters, numbers and even special symbols

    • Longer passwords are stronger passwords. 12 or more characters is best
    • Consider using a ‘passphrase’ to create a complex password where a sequence of words or other text are put together (e.g., Applekeyboardphone)
    • Do not use easily researched answers to security questions, such as a pet’s name
    • Do not use the same passwords across multiple accounts

  • Use multi-factor authentication (MFA) when available
  • Ensure employees are using strong authentication to protect access to accounts with strong, secure and differentiated passwords, and provide them with password education during security awareness training
  • Require a password on web meetings so only those invited can attend
  • Incorporate password blacklisting and audits
  • Implement password vaulting for privileged accounts
  • Use a password manager



Update your passwords and use a password manager

Updating your passwords to be unique, long and complex is one of the best ways to immediately boost your cybersecurity. Yet, only 43% of the public say they “always” or “very often” use strong passwords. And if you are a “password repeater,” once a cybercriminal has hacked one of your accounts, they can easily do the same across all your accounts. Password manager software can manage all your online credentials like usernames and passwords, storing them in a safe, encrypted database that generates new logins when needed.


One of the biggest reasons individuals repeat passwords is that it can be tough to remember all the passwords you have. According to Ponemon Institute, 53% of people rely on their memory to manage passwords. And the National Cybersecurity Alliance notes that 31% of people keep track of their passwords by writing them down in a notebook. With a password manager, people only must remember one password. In addition, password managers are incredibly easy to use and can automatically plug in stored passwords when you visit a site. (You can check out password managers and reviews through Consumer Reports.)



The future of passwords

Eliminating the human factor from passwords has been the most successful implementation I’ve seen an organization do; however, they are still, to some extent, having to use passwords. The challenge is trying to come up with a solution to remove passwords altogether. The alternative is still a “password,” but is generated by IT using a YubiKey/biometrics or other form of authentication.


One of the best perks to this method is that it gives end users the capability to reset their passwords, and a simple way to enter their credentials into forms with a push of a button. It also provides the end user with assurance that their passwords are secure as they are automatically generated for them. Currently, there’s no known supported biometric system or secondary authentications for enterprise networks due to the nature of single sign on (SSO). In the meantime, everybody can do their part to secure their password by making sure it’s long and complex, thereby protecting their digital assets, online accounts and data.

Kevin Higgins
Kevin Higgins is a Senior Consultant within Optiv’s Threat Practice. With more than 10 years’ experience in both consulting and enterprise environments, Kevin has worked with organizations ranging from small businesses to Fortune 500 corporations and in a multitude of industries. Kevin is a subject matter expert (SME) in penetration testing and red team exercises, with expertise in external/internal penetration testing, red team exercises, digital forensics and incident response (DFIR), wireless assessments and vulnerability assessments. In addition to consulting, Kevin has presented at numerous security conferences and developed hands-on penetration testing classes. Kevin is a Certified Forensic Computer Examiner (CFCE) and an Offensive Security Wireless Professional (OSWP).

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit