Weak passwords are not defined by specific characteristics alone, such as the number of characters in the password or the types of characters. Characteristics in the context of computing power and capabilities define them. For example, in the 1970s and 1980s, a five—or six-character password would have been very resistant to attack, but today, many systems can crack such a password in seconds. Therefore, what was sufficiently long thirty or forty years ago is no longer sufficient today.
Therefore, weak passwords are defined by specific characteristics in context. The bad news is that the context is ever-changing (well, this is good news if you want or need lots of computing power for non-malevolent goals). We had computers in the 70s and 80s that were measured in kilohertz and megahertz, with no commonly accessible systems operating near or above 100 megahertz (computer speeds are measured in hertz, and kilohertz is the metric where 1 kilohertz is a thousand cycles per second, 1 megahertz is a million cycles per second, and 1 gigahertz is a billion cycles per second). In the ’90s, we saw a flood of systems that operated at or above 100 megahertz, particularly in the second half of the decade. From the year 2000 and beyond, we have measured most standard computer processors in gigahertz, ranging from 1 gigahertz to more than 4 gigahertz today. Additionally, multiple cores were added, ranging from single core to 12 cores or more.
The trend will continue, though some experts predict that it will slow its progression until quantum computing takes off. Also, many newer “computing devices” operate below 100 megahertz again today as they are specialty computing devices ranging from the computers in your refrigerator to those that control automobile electrical systems and features.
Evolving Threats: From Single Machines to Distributed Power
Suppose the trend is for the increase of speed in computing to slow and for many newer devices to intentionally use slower processors. Does this mean that we will also see a reduction in the continual increase of password length and complexity to battle the increased processing power? The answer is a firm no! The reason is simple: let me explain.
Processing Power and Password Cracking
In the 1980s and for most of the 1990s, we were concerned about the processing power of a single computing device. With the proliferation of the Internet, we must now be concerned with combined processing power. For example, imagine that an industrial plant has one thousand IoT devices that each contain a 50 megahertz processor. If an attacker finds a way to gain control of all of these IoT devices, she will have 50 gigahertz of processing power at her disposal. Even if we assume some significant processor consumption for other tasks so that only half of the capabilities are left for the attacker, she still maintains 25 gigahertz of processing power.
The Rise of Distributed Brute Force Attacks
Now, expand this to the Internet (and not just the local IoT network). If the attacker can find ten similar networks of these IoT devices that she can control and that have access to the Internet, each averaging one thousand devices per network, she now controls between 250 gigahertz and 500 gigahertz of processing power.
In addition to the availability of Internet-connected devices, attackers today can use GPUs (Graphics Processing Units) available in many systems that are designed for graphics processing, which is numerically intensive but works phenomenally well for password cracking. The overall point is simple: attackers will continue to find ways to crack ever longer passwords faster and faster.
The Impact of Technological Advancements
As an example, Hive Systems released a table showing the required length of time to crack passwords in 2020, and they updated it in 2022. The original table was based on a GPU available in 2020, and the new table was based on a GPU (faster) available in 2022. The result was that, in the two years between the two reports, the required length of time to crack passwords was reduced by 35-40 percent. For example, a ten-character password with numbers, upper and lower case letters, and symbols would take five years to crack in 2020, but only three years in 2022. The same password description, but containing only eight characters, took eight hours to crack in 2020 but only five hours in 2022 (read the full report from Hive Systems).
Shifting Landscape of Password Strength
The good news is that an eleven-character password containing upper and lower case letters, numbers, and special characters still took 34 years to crack. Therefore, to crack it in one year, the attacker would need about 34 GPUs to share the load. To crack it in one month, the attacker would need hundreds of GPUs. Therefore, a password of eleven or twelve characters meeting the previously defined complexity requirements is still quite resistant in 2022. However, one should not get too comfortable. I’m about to go on a rant, so if you came for the above information only, you may want to run away, but I encourage you to consider my rant.
Why Weaker Security in Smaller Businesses Matters
We often hear, in the security industry, that smaller companies are not likely to be targeted with significant computing resources (meaning the attacker has significant computing resources) because the payoff is not high for the attacker. However, an attacker may need to acquire those significant computing resources to attack another larger target. For example, if the attacker can get thousands or millions of computers to run a script identifying whether GPU resources are available and, if so, gaining control of said computers, the attacker can build a botnet (a group of controlled computer systems) that can be used for any desired compute-intensive task. Once acquiring control of these thousands or hundreds of thousands of computers, the attacker can use them for nefarious purposes. Additionally, the attacker may intentionally utilize some limited amount of resources and take no other damaging actions on the controlled computers to reduce the likelihood of detection of remote control.
Because smaller companies feel less threatened, they often implement weaker (or no) security controls than larger organizations. Therefore, they become a tempting target for attackers desiring to build a botnet. Why build such a botnet?
- For personal pleasure (owning the victims)
- For personal attacks (launching attacks against targets for political purposes, financial purposes, or simply the thrill of it)
- To sell to others (such as large crime organizations)
Concerns about large botnets might sound far-fetched. Some may say it is more like a movie plot than real life. However, a quick internet search for “EMOTET” reveals a real-world example. EMOTET had millions of controlled machines in its botnet. Criminals used the net for malicious purposes and sold access to other criminal organizations. Multiple countries joined forces and took it down in 2021 (or so they thought). However, EMOTET re-emerged within a few months. This highlights a common problem with malware: it can resurface in new forms.
Beyond Passwords: Multi-Factor Authentication
Therefore, security is important for small organizations and large organizations alike. Neither can ignore the threats. But what does all of this mean for passwords? Today, when you use passwords, make sure they are complex. This means they should be at least eleven characters long or even much longer. Additionally, for valuable and sensitive information, implement authentication systems that go beyond passwords. This could include multi-factor authentication methods like access cards (smart cards), biometrics, or two-factor authentication.
This is the reality of weak passwords.
In today’s hyper-connected world, cybersecurity threats can be a constant source of anxiety for business owners and employees. The AACSP CyberSecure course alleviates these concerns by providing the knowledge and confidence to easily navigate the digital landscape. Give yourself and your team the peace of mind that comes with proactive cybersecurity preparedness. Enroll in CyberSecure today.