What nine letter word brings heartburn to every CISO? Passwords.

Essential to almost any environment today except those using advanced security techniques, weak passwords — and even weaker employees who ignore policies and (inadvertently) give them away — arguably cause more grief to infosec pros than anything else.

Despite regular awareness training, a significant number of staff still don’t get the importance of creating passwords that are long enough and don’t use common words or repeat strings — for example, when asked to change a password, a user alters “myFordworks” to “myFordworks2.”

Perhaps employees might get the message if they were told of the experiment run by an unnamed Fortune 500 company and outlined in a blog on the SANS Institute’s InfoSec Forum. The security team wanted to find out if an analysis of the password history of employees could show how weak most passwords are, as well as how often they weaken security by re-using words and numbers.

So they put together a computer for about US$2,000, pulled hashed user password files — which include the history of  all previous passwords — from Active Directory and did an analysis.

The results were staggering.

“We clearly demonstrated that a moderate cracking rig run by people who don’t crack passwords as their job can achieve devastating results in very little time.” the author writes. Eight character passwords “are not in any way long enough to stave off password cracking as an effective attack against them. A good wordlist and set of rules can effectively crack most of them in minutes or seconds, and brute force can crack all of them within days.”

One of the things the test wanted to examine is whether having staff change passwords regularly — every 30 days, for some senior people at the company — would make a difference, or whether a longer period would be as secure.

The conclusion: No password rotation policy will make a difference on an unsafe password.

There is a caveat here: Those cracked (20 per cent of 974,000 analyzed so far) were the easy ones. It took the team six days of cracking time to do the work BUT the author figures in the real world it would have taken several weeks.

Still, considers these numbers:

–2 minutes – the time taken for the first pass with a wordlist and 64 rules to crack the first 38,000 passwords’

–Just under five days – time taken to brute force all passwords up through eight characters in length;

–12 – average number of passwords cracked per user account (either because they used a poor password, or it was eight characters or less, or both;

–87.8 per cent of the passwords cracked were broken using the easily available CrackStation password cracking wordlist, a compilation of  dictionary words, leaked password databases and books. By comparison only 12.2 per cent of the passwords cracked via brute force. The lesson, the author says, is using wordlists is very efficient;

–27 characters – the longest password cracked; It was a name and digits repeated several times (Lesson: Employees do understand they have to use more than eight characters, and they still cheat), Someone used “Thisisalongpassword.”  That wasn’t bad — except they used the string more than once, so it was cracked. (Lesson: See above).

What should infosec pros take away from this? First, the need for two- or multi-factor authentication is essential today. Second, the need for enterprise-strength password managers is more important than ever. So is repeating security awareness training.