Expiring passwords fail to lock out hackers

Four in 10 passwords can be hacked in three seconds, according to US researchers.

Password

For years, expiring passwords have been the bane of a user's life and now research has been published showing the whole process was a waste of time.

The team of researchers from the University of Carolina set themselves the task of hacking passwords based on past users at their faculty. The results have shown the ease with which a username/password combination can be broken many in less than three seconds.

The authentication was based on a fixed user name, or "only name you'll ever need" (ONYEN) system, with a password which had to be changed within a given time. Using the freely available John The Ripper dictionary attack with just under 50,000 words gave some alarming results.

After successfully acquiring at least one password to 7,936 accounts by brute force, the team went on to find all the passwords for 54 per cent of the accounts and discovered at least half in 90 per cent.

The reason it had such a high success rate was users worked to simple rules when changing a password. The common use of adding a number to the base password and incrementing or decrementing the value either in steps of one or in jumps makes life easy for the hacker.

Other research has shown around 50 per cent of users favoured this approach.

The team used other but equally simplistic methods and reached a shocking conclusion.

"Even the most expensive password cracking effort required an average of only under three seconds per password that it broke," the team said. "In combination with the success rate for this conguration, we reach a fairly alarming conclusion: On average, roughly 41 per cent of passwords can be broken from an old password in under three seconds."

The team said they believed expanding the research to incorporate slightly more complex algorithms would see the success rates jump signicantly.

In conclusion to the tests, the report said: "Combined with the annoyance that expiration causes users, our evidence suggests it may be appropriate to do away with password expiration altogether, perhaps as a concession while requiring users to invest the effort to select a signicantly stronger password than they would otherwise choose."

By this, they meant that a much longer passphrase using mixed alphanumeric characters and punctuation symbols would be required to make the job harder, but not impossible, for the hacker.

Featured Resources

Five lessons learned from the pivot to a distributed workforce

Delivering continuity and scale with a remote work strategy

Download now

Connected experiences in a digital transformation

Enable businesses to meet the demands of the future

Download now

Simplify to secure

Reduce complexity by integrating your security ecosystem

Download now

Enhance the safety and security of your people, assets and operations

Enable a true vision of security with an engineered solution based on hyperconverged and storage platforms

Download now

Recommended

'Largest ever' Magecart hack compromises 2,000 online stores
hacking

'Largest ever' Magecart hack compromises 2,000 online stores

15 Sep 2020
Infocyte integrates with Palo Alto Networks Cortex XSOAR
cyber security

Infocyte integrates with Palo Alto Networks Cortex XSOAR

19 Aug 2020
Andrew Daniels joins Druva as CIO and CISO
Cloud

Andrew Daniels joins Druva as CIO and CISO

22 Jul 2020
University of California gets fleeced by hackers for $1.14 million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020

Most Popular

Accenture ploughs $3 billion into cloud migration support group
digital transformation

Accenture ploughs $3 billion into cloud migration support group

17 Sep 2020
Google takes on Zoom with launch of Meet hardware
video conferencing

Google takes on Zoom with launch of Meet hardware

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020