Passwords Aren’t Safe from Hackers

Sue Marquette Poremba
Slide Show

Top 6 Trends that Impact Your Security Posture

According to a new survey, it really doesn’t matter how strong you make your passwords or where you store them: Hackers are going to figure them out.

Thycotic surveyed attendees at this year’s Black Hat conference and found that 75 percent of those responding (the vast majority were white hat hackers but there was a percentage of black hat hackers answering the survey, as well) said that no password is safe from hackers. Or the government, for that matter, they added. And half would be more than willing to step in and crack a password if paid for their services, but it wouldn’t be cheap, as eSecurity Planet pointed out:

Eighteen percent of respondents would do so for less than $1 million, 10 percent would do it for $1 million to $50 million, and another 23 percent would be willing to hack the iPhone for $50 million to $100 million or more.

So, the hackers may force the government or a company to sell its soul to crack a password – and I have no doubt they’d be able to do it – but they also provided tips that would make their job more difficult, such as limiting administrative access to accounts and better privileged access account management. But here’s the one that jumped out at me: Protect user passwords with security best practices. In a CIO article, Joseph Carson, a Certified Information Systems Security Professional (CISSP) and head of Global Alliances at Thycotic, said that changing behavior regarding passwords is difficult, adding:

[W]hen you are ready to secure end-user passwords, look for solutions that enforce your security policy for password strength and the frequency of password changes, and also provide easy and secure password resets — regularly requiring employees to change their workstation passwords will undoubtedly mean calls to the help desk when new passwords are forgotten.

However, not everyone is sold on the idea of changing passwords frequently. In fact, the chief technologist at the Federal Trade Commission said doing so could be problematic for security efforts overall. The reason? All of those password changes could make it so users default to easier passwords that they can remember and easier passwords are easier to crack. Research on the topic, Ars Technica reported, found that users who are required to change their passwords regularly make very small changes to the initial password, such as switching capitalized letters in the phrase or adding a number. This small switch is called a transformation, and, the article continued:

The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.

So what are we to do? Adding authentication levels would help, since that would require hackers to crack more than just a password. Avoiding transformation in password changes would also help, but best security practices need to include some way to securely manage passwords (password management systems online aren’t an option for everyone). I don’t think there is an easy answer, but it does hit home that the password has long passed its usefulness as a security tool.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba.


Add Comment      Leave a comment on this blog post
Aug 31, 2016 8:29 AM Cathy Cathy  says:
That is exactly why we use Single Sign On and a multi factor authentication for the same. Sounds safe, isn't it? Yup, it is...Made this decision when one of my friends email was hacked and most of the critical information was deleted and lost as well. This news threatened everyone, but anyways, we are an MSP and we had already been using ScorpionSoftware for password management and SSO, which is keeping our lives easy and our clients too.I had been suggesting all my friends to use SSO, since a decade, but most of the apps come with SSO and MFA now a days, which are supposed to be safe and secure by default. Reply
Sep 1, 2016 9:13 PM Sillie Abbe Sillie Abbe  says:
Where passwords are not safe, biometrics used with fallback passwords cannot be safe either.It’s really worrying that so many people are so tragically misinformed. Biometrics should not be activated where you need to be security-conscious.It is known that the authentication by biometrics comes with poorer security than PIN/password-only authentication. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.