98.5% Of Passwords Fail This Hacking Test — How Secure Is Yours?
Nearly all passwords are unfit for purpose according to new research.
We’ve all read the headlines: Gmail and Outlook accounts at risk, Apple passwords targeted, even Linux passwords vulnerable to attack, and, of course, the now-infamous 16 billion passwords leaked story. The inescapable truth is that attackers want access to your accounts, and hacking your password is the easiest option. When I say easy, I mean easy. A newly published analysis of 10 million passwords from a list of 1 billion compromised credentials has revealed that a staggering 98.5% were considered weak and unfit for purpose. Sure, that they had already been compromised suggests that would likely be the case, but the question remains: does your password pass the hacking test?
Do Your Passwords Pass The Hacking Test?
By mapping out what the report refers to as a heat map of password complexity and length, it was determined that only 1.5% of the total could be considered strong. By any benchmark, I think we can all agree that strong should be regarded as the minimum requirement for a password. Which means that 98.5%, or 9.85 million of that 10 million sample, were simply unfit for purpose. Users are, the report concludes, still creating “weak passwords that could be used as simple attack routes for hackers.”
Now, smelly stuff and Mr Holmes might spring to mind in response, given that these were, as mentioned, a sample of compromised passwords. But that is missing the point, or rather points. Weak passwords are low-hanging fruit that are picked off by automated password hacking machines without any need for skilled human intervention. “Once an attacker gains one set of valid credentials,” the Specops team said, “they can pivot through the network, escalate privileges, and exfiltrate sensitive data.” And they can do all of that without tripping the security alarm, nine times out of ten. “Despite years of training, many users still choose weak, easily guessed combinations that cybercriminals can crack in seconds,” Darren James, senior product manager at Specops, said. They failed the password hacking test, in other words.
The Passwords Hacking Test Explained
The hacking test that your passwords need to pass in order to be considered fit for purpose, or at least not weak, as defined by the Specops research team for the purposes of the analysis, can be thought of as follows:
Your password must be at least 15 characters long and contain at least two different character classes, such as upper and lower cases, digits and symbols.
I’d argue that this should be seen as a bare minimum in terms of password construction, but you have to have a baseline, and this suffices. The Specops team explained that “every extra character multiplies the keyspace by the size of your chosen alphabet,” and this exponential growth of combinations makes it harder for brute-force password crackers to operate. “Even with GPU- or ASIC-powered rigs churning through trillions of guesses per second,” the report said, “pushing beyond 15 characters pushes the expected crack time from hours into years or centuries.”
Again, I’d argue it’s not quite that simple, as the existence of password lists, with billions of compromised credentials, makes the task easier even when these minimums have been met, assuming those passwords are reused and are not unique. You can add uniqueness, therefore, to the password hacking test pass requirement.
The same keyspace multiplication factor applies to the introduction of mixed character classes. Adding digits to a lowercase alphabet expands its size from 26 to 36 characters. Which, the researchers said, boosts the keyspace by (36/26)¹⁶ ~ 2.5× on top of your length gain.”
So, do your credentials pass the passwords hacking test? If not, you’d better change them pronto. In fact, you might want to follow the advice of Google and Microsoft and change them anyway, to the much more secure passkeys alternative.