Why Strong Passwords Aren’t As Secure As You May Think
We’ve reported previously on the trouble with passwords as we highlighted the fact that hackers can guess a password up to 8 characters in length almost instantly with current brute force techniques. Increasing your password length to at least 18-20 characters and including mixed numbers, symbols and upper/lowercase letters can significantly improve the time required for a brute force attack. But for many attacks, it may not matter.
We know that cyber-attacks are on the rise. Including attacks on healthcare providers, schools, and almost anyone with data and the ability to pay a ransom. Phishing and other social engineering scams are the most frequent attacks and recent data provided by Microsoft shows that stronger passwords aren’t enough.
Microsoft is one of the world’s largest identity providers. That means they manage more usernames and passwords than most any other organization on earth. These credentials combined with the scale of their global network provides Microsoft with industry-leading statistics on current attack trends. Microsoft sees over 10 million username/password pair attacks every single day.
According to Microsoft’s research, password length requirements may not matter because users choose repeating passwords that are not harder to guess but still meet the length requirements. Examples from their research are: fourfourfourfour and passwordpassword. Both examples would meet a 16-character length requirement but don’t increase security. Long passwords also make it more common for users to write the password down or store it unencrypted. Long password requirements almost guarantee that a password will end up being just long enough to meet the length requirement. This gives hackers a statistical advantage if they know they only need to try 16-character combinations due to the 16-character minimum requirement.
So if length doesn’t matter, what is the general password advice? The key here is that length and complexity do matter in preventing brute force attacks. However, most brute force attacks are relegated to password spray techniques where they slowly attempt the most common passwords across a wide array of sites. Avoiding a password spray attack has little to do with password length or complexity and everything to do with password originality. These password spray attacks use the most common passwords and even guess what would be a common password for a system (e.g. Azure2019! or Office2020!) in their attempts. Since these attacks are usually blocked by security systems after a few attempts, as long as your password isn’t one of the top 50 or 100 most common passwords, you are fairly safe. According to Microsofts’ current data, the 10 most common passwords are:
- 123456
- password
- 000000
- 1qaz2wsx
- a123456
- abc123
- abcd1234
- 1234qwer
- qwe123
- 123qwe
But just because your password isn’t in that list doesn’t make you safe because the top 50-100 password list for any given system could always be changing. Humans are incredibly unique creatures in that we like patterns and when we think we are creating something random; we are actually following a highly predictive pattern. This causes a password that appears complex to actually be highly predictable. A summary of findings from Microsoft are below.
We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a “three strikes” type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat. If a larger credential space is needed it appears better to increase the strength of the userID’s rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.
So we know passwords alone are not the answer to securing our networks and systems. Fortunately, there is a security solution that can stop 99.9% of all automated credential attacks. Implementing app or hardware-based Multi-factor Authentication (MFA) such as WatchGuard’s AuthPoint can eliminate your company’s number one risk. Don’t settle for SMS or voice call based MFA solutions as voice calls and SMS are transmitted as unencrypted plain text and can easily be intercepted by determined attackers. In the end, implementing MFA is better than passwords alone but moving to a hardware or app-based MFA is often easier to administer and more secure.