Why Strong Passwords Aren't As Secure As You May Think - Minneapolis Cloud Services and Managed Service Provider Verus Corporation

Why Strong Passwords Aren’t As Secure As You May Think

Posted November 24, 2020

We’ve reported previously on the trouble with passwords as we highlighted the fact that hackers can guess a password up to 8 characters in length almost instantly with current brute force techniques. Increasing your password length to at least 18-20 characters and including mixed numbers, symbols and upper/lowercase letters can significantly improve the time required for a brute force attack. But for many attacks, it may not matter.

We know that cyber-attacks are on the rise. Including attacks on healthcare providers, schools, and almost anyone with data and the ability to pay a ransom. Phishing and other social engineering scams are the most frequent attacks and recent data provided by Microsoft shows that stronger passwords aren’t enough.

Microsoft is one of the world’s largest identity providers. That means they manage more usernames and passwords than most any other organization on earth. These credentials combined with the scale of their global network provides Microsoft with industry-leading statistics on current attack trends. Microsoft sees over 10 million username/password pair attacks every single day.

According to Microsoft’s research, password length requirements may not matter because users choose repeating passwords that are not harder to guess but still meet the length requirements. Examples from their research are: fourfourfourfour and passwordpassword. Both examples would meet a 16-character length requirement but don’t increase security. Long passwords also make it more common for users to write the password down or store it unencrypted. Long password requirements almost guarantee that a password will end up being just long enough to meet the length requirement. This gives hackers a statistical advantage if they know they only need to try 16-character combinations due to the 16-character minimum requirement.

So if length doesn’t matter, what is the general password advice? The key here is that length and complexity do matter in preventing brute force attacks. However, most brute force attacks are relegated to password spray techniques where they slowly attempt the most common passwords across a wide array of sites. Avoiding a password spray attack has little to do with password length or complexity and everything to do with password originality. These password spray attacks use the most common passwords and even guess what would be a common password for a system (e.g. Azure2019! or Office2020!) in their attempts. Since these attacks are usually blocked by security systems after a few attempts, as long as your password isn’t one of the top 50 or 100 most common passwords, you are fairly safe. According to Microsofts’ current data, the 10 most common passwords are:

123456
password
000000
1qaz2wsx
a123456
abc123
abcd1234
1234qwer
qwe123
123qwe

But just because your password isn’t in that list doesn’t make you safe because the top 50-100 password list for any given system could always be changing. Humans are incredibly unique creatures in that we like patterns and when we think we are creating something random; we are actually following a highly predictive pattern. This causes a password that appears complex to actually be highly predictable. A summary of findings from Microsoft are below.

We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a “three strikes” type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat. If a larger credential space is needed it appears better to increase the strength of the userID’s rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.

So we know passwords alone are not the answer to securing our networks and systems. Fortunately, there is a security solution that can stop 99.9% of all automated credential attacks. Implementing app or hardware-based Multi-factor Authentication (MFA) such as WatchGuard’s AuthPoint can eliminate your company’s number one risk. Don’t settle for SMS or voice call based MFA solutions as voice calls and SMS are transmitted as unencrypted plain text and can easily be intercepted by determined attackers. In the end, implementing MFA is better than passwords alone but moving to a hardware or app-based MFA is often easier to administer and more secure.

Kevin Willette

Kevin Willette is Partner / CEO of Verus Corp. His focus is ensuring complete customer satisfaction and providing as much or as little support as is needed for the individual client. Kevin knows that plenty of places do IT services, but what sets Verus Corp apart is the local feeling and the commitment to doing things right the first time. He has always wanted to be a business owner because it affords him the opportunity to offer a service that was better than anything clients had seen before. His true goal is to help customers make their businesses better by removing potential IT barriers. Kevin served as chair for Habitat for Humanity during his time at Minnesota State University, Mankato. He has also served on the WatchGuard Advisory Council since 2016. Kevin’s work with Verus Corp has helped them achieve awards as the WatchGuard Partner of the Year and Cisco Select Partner. Kevin graduated from Minnesota State in 2000 with a major in Business Marketing and minors in Business Administration and Music.