Password leaks from public breaches help us learn how people think, allow us to identify patterns and build dictionaries of passwords. As password cracking methods evolve, Upper characters, Lower characters, Special characters and Digits (ULSD) recommendations and password complexity mean less.
People reuse passwords. They rotate them. Add a digit to them. And even use identical or share passwords with others. As data scientists, it is our job to go deeper, and identify the common human behavior. For example, we’ve seen how local culture impacts passwords, where local football team names are commonly used as passwords.
The problem is that only about 1% of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken.
People need patterns to remember things, and to feel more secure they use a combination of ULSD. But ULSD itself has its own patterns. Most common? Take a word. Capitalize it and add digits to the end. Sound familiar? The majority of people do this.
At Preempt we have taken this a step further and analyzed passwords as they relate to recent large account breaches at companies like LinkedIn, Yahoo, etc. We have found there is a common denominator with regard to passwords between breaches -- and it is much greater than you think.
Stats and Findings:
Many people use (very) weak passwords
Preempt researches worldwide user account compromise and large-scale account breaches. Let’s take for example the relatively recent high-profile Linkedin breach. One thing is certain, any person that used the same password for Linkedin as they did for their work account (or other account), is currently vulnerable within these other accounts. Unfortunately, there are many users that don’t make that connection. Their LinkedIn account was breached, so they just change their LinkedIn password, not realizing that if they are using that same password elsewhere, they are actually exposed in all of those places as well. For IT security teams, this is an unknown vulnerability they have to deal with.
We set out to answer the question: How many Linkedin accounts were weak PRIOR to LinkedIn breach?
To answer this, we compared how many passwords in LinkedIn’s password dump were already known from previous password dictionaries that had been established. The results were staggering 63,588,381 (~35%) of accounts used previously known passwords to begin with. No matter how complex these passwords were, they are considered weak because they can be quickly cracked offline by matching against a wordlist of known (or previously used) passwords.
Most Passwords Can Easily Be Cracked
After we looked at password weakness, we wanted to determine how easy passwords might be to crack. To do this, we estimated the relative strength of account passwords within a general organization. To be as conservative as possible, we made the following three assumptions:
- Users are not sharing passwords between themselves or other accounts.
- Some variation of Microsoft password policy recommendations is in place. Specifically:
- Users use passwords with 10 characters or less. (From our research, aside from some very security focused organizations with very specific policy for admins, more than 90% of organization don’t require more than 8 character passwords.)
- MS password complexity is turned on.
- Attackers are able to obtain and exfiltrate password challenges to crack passwords. Attackers have many ways to achieve this (e.g NTLM Relay). An overview of these techniques is a topic for another blog post.
We then tried to compute how much time would it take to crack a password with brute force, using standard off-the-shelf cracking hardware (assuming MD4 which is still widely used, standard cracking software [like this] doing a modest 25B hash/sec). We then created three password models:
- Low Complexity - only password length is enforced.
- Medium Complexity - password length and complexity is enforced. Users have common ULSD patterns (e.g initial letter is capitalized, last letter is a digit).
- High Complexity - same as medium complexity, but users are aware not to use common ULSD patterns.
Time required to crack passwords (10 characters) using standard hardware
As can be seen, results are astounding: Low complexity passwords can be cracked in less than a day, medium complexity passwords are cracked in less than a week and high complexity password are cracked in less than a month.
Now for security teams, do you know how many users in your organization have:
- Password with 10 characters or less?
- Passwords that follow conventional ULSD patterns?
- How often your users change their passwords?
Here are some facts we’ve learned:
- Password complexity isn't working - passwords can meet complexity and still be considered weak because of password dictionaries.
- Passwords are not unique - people reuse passwords and newly leaked dictionaries contain previously leaked passwords.
- Passwords follow patterns - in most cases, the top 100 patterns will crack the majority of passwords in an organization.
- Password cracking is easy - depending on hardware resources, it can take only seconds to minutes to brute force most passwords.
- Passwords are shared between users - people share passwords, use identical passwords and duplicate passwords between services.
- Password expiration policy is not enforced - frequent password change policies are disabled, and many times specifically for executives (e.g. CEO) with highly sensitive profiles.
So, what does this mean? ULSD essentially doesn’t matter. It is important to educate employees, and individuals in general, about password strength and levels of risk following recent breaches. If you use the same username and/or login for multiple websites, you're putting yourself at significant risk.What else can you do?
- Use a password policy to enforce complexity and password expiration. (Note: Preempt can help force a password change when there is an indication that a password was compromised or is considered weak.)
- Require longer passwords (8 bad, 10 ok, 12 good)
- Educate people to:
- Not share passwords with other employees
- Not share passwords with other cloud services
- Not use simple patterns, personal data or common words (make it unpredictable)
- Not repeat passwords when a password expires (enumeration included)
- Add additional factors to authenticate users. For example, on suspicious logins, you could send end users a simple email notification or push an immediate notification to their mobile device. (Preempt can help in such cases.)
- Implement a context based solution - train and enforce password policy based on users activity (1b, 4).
To help security teams get ahead of this problem today, we have developed a quick and easy freemium tool called Preempt Inspector. Preempt Inspector helps IT Security Managers identify accounts that have weak passwords as well as accounts where passwords are duplicates. We recommend not allowing users to use known passwords even if they meet password complexity rules.
With the Preempt Behavioral Firewall, organizations can take it a step further and automate the response with minimum effort. The Behavioral Firewall can force users to change their passwords, demand a second factor during authentication (or when accessing resources or other network activities), and most importantly, it can constantly evaluate the strength of passwords until users learn to avoid weak passwords.
Researchers that have analyzed leaked passwords have found that passwords are not unique, often repeated and there are many duplicates. Stats can be found all over the internet to support this, however if you would like to read more, I recommend blog.korelogic.com. They have also have a post on the top 100 common passwords patterns https://blog.korelogic.com/blog/2014/04/04/pathwell_topologiesFor interested readers, Skip Duckwall, a notable IT security blogger, published a nice Google spreadsheet where you can tinker with numbers and derive cracking times under different assumptions yourself.