[New Research] Best Password Practices to Defend Against Modern Cracking Attacks

Today, the Specops research team is publishing new data on how long it takes modern attackers to brute force guess user passwords with the help of newer hardware. This data with the latest addition of over 15 million compromised passwords to the Specops Breached Password Protection service.

“The recent headline-making news of the possibilities of AI have some security researchers and IT teams wondering what this technology means for password security,” said Darren James, Senior Product Manager at Specops Software. “We’ve long known that passwords are vulnerable to brute force cracking attempts. Recent advancements in automation and hardware have made these attacks all the more accessible for today’s cybercriminals.”

What it takes for an attacker to crack a password

Plain text password storage is rare in these modern times, requiring attackers to adopt password cracking methods to make use of the majority of (hashed) password leaks. Most systems today make use of hashing algorithms to protect passwords in storage against the risk posed by an attacker getting their hands on the system’s password database.

How hashing functions work (source: Wikipedia)

Because of the one-way nature of hashing algorithms, the only way to reveal the actual password from a hash is to guess. Wordlists and other tools make this task a bit easier for an attacker but the number of attempts it would take to achieve a correct answer is too much for any single human to do on their own. Enter hardware and password cracking software like L0phtcrack, John The Ripper, or Hashcat, to name a few.

Different hashing algorithms take different amounts of time for password cracking software and hardware to crack. Older ones like SHA-1 and MD5 are not considered as secure because of how quickly modern cracking software can break through them; however, MD5 is still among the most frequently cited hash algorithm in found leaks.

“Even if your organization has been able to configure more secure hashing algorithms to secure the passwords used throughout systems for your organizations, MD5 and other insecure hashing methods pose a threat to you. The threat is password reuse,” said James. “Your users’ work passwords could be stored in the most secure way but the minute they reuse that password on some less secure website and that website gets leaked; that attacker could be coming for your network.”

With the prevalence of MD5 in mind, let’s take a look at how long it might take a criminal to brute force guess passwords hashed with MD5.

The above table shows time to crack via brute-forcing given hashes with modern hardware with the following assumptions:

• Hardware: the Nvidia RTX 4090. Currently the best value-for-money generally available hardware to perform password cracking attacks with. This is a flagship gaming GPU which can be purchased by consumers, and is largely affordable with an MSRP of around $1599 USD. In order to generate this data, we are using a hypothetical system comprised of 4x Nvidia RTX 4090s. This is a setup that is approachable for bad actors that might be attempting to use password leaks to achieve access to an organization’s accounts.

• Software: Hashcat. Generally, a stock RTX 4090 will achieve approximately 164 GH/s in Hashcat (that can be thought of as 164 000 000 000 password guesses/second).

The above hardware assumptions may sound expensive; however, with ransomware payments in the millions, the cost can seem minimal. Even still, some attackers may find faster and cheaper results with cloud services.  

How to defend against password cracking attempts

The proliferation of new hardware and automation technology has made it easier for attackers to crack the passwords used to login to your network.

To protect against password cracking attempts, IT teams have a few options:

• Remove passwords
• Add MFA
• Improve password security

The first option of removing passwords eliminates the need to defend against password cracking attempts; however, it’s not feasible for most environments. Passwords remain an essential part of many organization environments and therefore need another approach.

The second option of adding MFA is a great way to improve security. Organizations can add MFA to password resets, to end user verification at the service desk, to key recovery and more. However, it’s not always possible for organizations to add MFA in all use cases and MFA itself is vulnerable to its own attacks.

The third option of improving password security is an important part of a layered protection defense. Improving the security of the password itself improves security across all parts of an organization’s network where the password is still required for authentication.

The best password policy to defend against password cracking attempts

As you can see in the above table, the best password policy encourages a longer password. Features like length-based aging and encouraging the use of passphrases can help IT teams with getting their users to select longer passwords.

However, long passwords are rendered useless when they show up on compromised password lists.

As this table easily illustrates, password length is not the only important piece of a good password policy. Blocking the use of known compromised passwords is an essential part of defending against password guessing attacks.

“The IT teams we speak to have always known this to be true,” continued James, “but hopefully these password cracking tables can be helpful in getting buy-in from other decision makers who might not be as aware of the danger of weak or compromised passwords. Blocking the use of known compromised passwords needs to be a priority in any password security program.” 

How to Find Compromised Passwords Like These in Your Network

Today’s update to the Breached Password Protection service includes an addition of over 8 million compromised passwords to the list used by Specops Password Auditor.

You can find how many of your passwords are either compromised or identical with a scan from Specops Password Auditor. Specops Password Auditor does not store Active Directory data, nor does it make any changes to Active Directory.

Decrease Your Password Reuse Risk by Blocking Compromised Passwords 

With Specops Password Policy and Breached Password Protection, organizations can prevent the use of passwords like these and over 4 billion more known unique compromised passwords. These compromised passwords include ones used in real attacks today or are on known breached password lists, making it easy to comply with industry regulations such as NIST or NCSC.

Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. The Breached Password Protection service blocks these banned passwords in Active Directory with customizable end-user messaging that helps reduce calls to the service desk. See how with a demo or free trial.