An estimated 700 data breaches were made public, with 1,365,130,252 records exposed in the United States in 2018 — many of which were due to cracked passwords. Though it is a decrease from 2017, we are still talking about hundreds of millions of records and pieces of information shared that ought not to have been. Hundreds of millions.
One of the first layers of defense is strong passwords, and unfortunately, many users still do not have the level of password complexity needed to successfully protect their account. The Silent Break Security team scrubbed and aggregated cracked passwords obtained through security assessments throughout 2018 to identify the most common trends in passwords usage. In total, over 200,000 hashes were retrieved. Of the total, 61% were cracked. You’ll also notice we’re showing percentages. This represents a percentage of total hashes or cracked hashes, depending on the metric. For example, the chart below shows that the password Fall2018 was found to be 1.58% of all cracked passwords. Obviously, we can’t calculate statistics or percentages on passwords that weren’t cracked.
This may go without saying, but we’re going to say it anyway. Building passwords out of common or sentimental words is not a good idea. Words including time of the year, sports teams, locations, family names, etc. are easily guessable. The length and complexity of a passwords makes the biggest difference. The risk is compounded when you consider the external portals, VPNs, emails, customer applications, etc. that do not have 2-factor authentication. Take a look at what we found for 2018 and see what you can do to increase your password strength in 2019.
The Power of Words in Passwords
Yes, unfortunately, some reason people still use the generic “Password123” as a password at work. Fall2018, Winter2018, and Summer2018 were the three most common cracked passwords for 2018 as gathered by Silent Break Security. Check out the top 10 on the graph below.
Passwords are often made up of common words or phrases. The problem is, they are also easily guessable.
The top three base words for 2018 were summer, winter, and fall. Sensing a theme? Here’s an easy security tip for 2019: don’t make a password the season + year.
Optimal Length of Passwords
The longer the password, the longer it takes to crack it (usually). According to our gathered data, the most common password length is 8 (28.66%), followed by 9 (20.70%), and in 3rd place, 10 characters (15.92%). Given that most organizations have an 8-character password policy, this shouldn’t be too surprising.
It is clear to see the longer the password, the less likely it is to be cracked. With such a wide range, what is the best option for maximal strength? We recommend creating passwords that are at least 16 characters in length. Add in bits of complexity and combine words to increase effectiveness.
“Why do you have to go and make things so Complicated?”
Avril Lavigne complained about making things complicated, but we firmly stand by the fact that complexity is good…for passwords, anyway.
While changing the ‘a’ in ‘password’ to ‘@’ makes it a little more complex, ‘p@ssword123’ is still not going to cut it. Mixing in upper and lower case letters, numbers, and special characters increases strength. Complexity combined with length improves password strength substantially.
In summary, passwords are the front line to any organization’s security defense. We’ve all read the news. Lack of intentional account security can have devastating effects. In the 2018 Verizon Data Breach Investigation Report, 81% of security breaches were caused by compromised passwords. The same report states that over 70% of employees reuse passwords at work. The domino effect goes on and on.
We don’t mean to lecture – the evidence speaks for itself. Password security is vital. The problem is the users needing this information, probably aren’t the ones reading this article! That’s where enforcing good password hygiene combined with regular password audits can really help the effectiveness of a security program and better protect corporate assets.
A new application developed by Silent Break Security, Defensix Password Audit, will automatically (and routinely, if wanted) perform an audit of Active Directory accounts including weak, duplicate, or empty passwords, and passwords with reversible encryption or without expiration. The audit results can then be used to provide useful information on employee usage and increase security maturity. Check out the details here.
Thanks for reading. Now go change your passwords!