🔐 ❌ No more 8 characters: Passwords are changing and why 8 characters are no longer enough 🔐

Image generated by OpenAI's DALL·E

Passwords are still a central part of cybersecurity. Despite regular recommendations on password security from institutions such as the Federal Office for Information Security (BSI) and the National Institute of Standards and Technology (NIST), significant risks remain. In this article, we analyze the current recommendations, their vulnerabilities and alternative approaches to increasing password security.

Current recommendations from the BSI and NIST

The BSI's recommendation in Germany is that passwords should be at least eight characters long has been in place for many years. In its current guidelines, the BSI emphasizes that a good password should be at least eight characters long, with a combination of upper and lower case letters, numbers and special characters being recommended.

This recommendation was repeated and updated as part of the IT-Grundschutz Compendium, most recently in 2020.

NIST also relies on the length of passwords, but also recommends eight characters. There is less emphasis on complexity and more on length and simplicity for the user. This policy was first established in NIST Special Publication 800-63B in 2017.

Criticism of the current recommendations

Although the recommendations of the BSI and NIST are regularly updated, there is considerable criticism. Eight-character passwords are now easy to crack using brute force attacks. The increasing computing power of modern graphics cards and specialized brute force tools make it possible to test huge amounts of password combinations in a short period of time.

It was already known before 2017 that Microsoft's hijacked NTLM hashes, which Microsoft uses to "encrypt" all passwords on end devices and in the Active Directory, were particularly vulnerable to such attacks. An NTLM hash of an eight-character password can be decrypted within hours, sometimes even minutes, using modern graphics cards.

Increasing computing power and the availability of specialized brute force tools make it possible to test a huge number of password combinations in a short period of time.

Regular password changes

BSI and NIST have changed their stance on regular password changes, and both no longer recommend regular password changes. Since users often tend to use patterns that are easy to guess. For example, passwords like “Summer2021” or “Walmart2021” could be used, which are even easier for attackers to crack.

On this point you have to agree with the BSI and NIST to some extent - users tend to continue to use passwords or only change them slightly. However, it took a company on average 204 days globally to detect leaked credentials. Only company passwords are considered here - however, 51% of employees use the same password privately and professionally and on at least five or more websites.

In view of these points, the choice of a "only" 8-digit password should be carefully considered - since a leaked password hash is not only cracked in a few hours, but these passwords also remain active for an "indefinite" period of time and can be used as a gateway for private and professional purposes Attacks can serve. Last year, around 49% of all cyberattacks started with a leaked password.

The standard for passwords is still too long at eight characters

Password cracking methods have evolved significantly since the days of John the Ripper and Cain & Abel. A decisive advance lies in the use of graphics cards instead of slow processors. GPUs are designed to perform simple calculations very quickly, making them ideal for trying out password combinations. Thanks to their ability to perform such calculations at high speed, GPUs can crack passwords much faster by going through all possible combinations of letters, numbers and special characters.

In contrast to many other security standards, the “best practice” of eight-character passwords has not evolved. This represents a significant security risk for modern Windows domains. For sophisticated attackers, it is easy to obtain an encrypted Windows hash using a tool like Responder and crack it using a powerful GPU system - often this only takes a few minutes. These “successes” can either be used directly in the attack to cause even more damage or sold on the DarkNet.

The math behind password cracking

The number of possible combinations of a password depends on the length of the password and the number of characters available in the character set.

Assume a password consists of the following characters - which corresponds to the Active Directory default setting:

• Capital letters (A-Z)

• Lowercase letters (a-z)

• Digits (0-9)

For an 8-character password, that would be 26 characters for uppercase letters, 26 characters for lowercase letters and 10 characters for numbers. This results in a total of 62 possible characters (26 + 26 + 10 = 62) and that as an exponent of the desired password length results in 62^8. The following table shows a big difference to a 9-digit password. It should be noted that this is the “worst case” - i.e. the passwords can also be cracked earlier.

The table above reflects a password without special characters - in practice, around 10 special characters are common among users, some of which are also used in the passwords.

If we now adjust the table to include the special characters - we get the following.

For an 8-character password, that would be 26 characters for uppercase letters, 26 characters for lowercase letters, 10 characters for numbers and 10 special characters (e.g. !, @, #). This results in a total of 72 possible characters (26 + 26 + 10 + 10 = 72) and that as an exponent of the desired password length results in 72^8.

Duration and maximum cost calculations assume one AWS EC2 instance (p3.16xlarge) and an hourly price of $28,15. There are many other instances, some with even more GPU performance at a sometimes even cheaper price. The duration was calculated with a measured average hashing rate of 31,107.2 MH/s.

Die Lösung

In a previous blog post I had already discussed the future of passwords - ⚙️ Authentication Reinvented: Passwordless in the Digital Future 🌍 - here I used the following claim:

Now the whole thing can be expanded a bit - the typical password for a user is worth $54.89. A relatively small price to pay when you consider the damage $55 can do to the company.

Based on our conclusions above, increasing the password length by just a single character significantly increases the chances of the password not being cracked. Adding two characters makes it very unlikely (unless it's a dictionary word).

Even multi-factor authentication can only offer limited protection here, as we can read in the following article - 🎭👁️ From Illusion to Reality: The Dark Sides of Multi-Factor Authentication (MFA) 👁️🎭. In the long term, only completely passwordless authentication methods can offer us a real solution to this problem - cracking speeds will increase over time.