Expiring passwords fail to lock out hackers

Four in 10 passwords can be hacked in three seconds, according to US researchers.

Password

For years, expiring passwords have been the bane of a user's life and now research has been published showing the whole process was a waste of time.

The team of researchers from the University of Carolina set themselves the task of hacking passwords based on past users at their faculty. The results have shown the ease with which a username/password combination can be broken many in less than three seconds.

The authentication was based on a fixed user name, or "only name you'll ever need" (ONYEN) system, with a password which had to be changed within a given time. Using the freely available John The Ripper dictionary attack with just under 50,000 words gave some alarming results.

After successfully acquiring at least one password to 7,936 accounts by brute force, the team went on to find all the passwords for 54 per cent of the accounts and discovered at least half in 90 per cent.

The reason it had such a high success rate was users worked to simple rules when changing a password. The common use of adding a number to the base password and incrementing or decrementing the value either in steps of one or in jumps makes life easy for the hacker.

Other research has shown around 50 per cent of users favoured this approach.

The team used other but equally simplistic methods and reached a shocking conclusion.

"Even the most expensive password cracking effort required an average of only under three seconds per password that it broke," the team said. "In combination with the success rate for this conguration, we reach a fairly alarming conclusion: On average, roughly 41 per cent of passwords can be broken from an old password in under three seconds."

The team said they believed expanding the research to incorporate slightly more complex algorithms would see the success rates jump signicantly.

In conclusion to the tests, the report said: "Combined with the annoyance that expiration causes users, our evidence suggests it may be appropriate to do away with password expiration altogether, perhaps as a concession while requiring users to invest the effort to select a signicantly stronger password than they would otherwise choose."

By this, they meant that a much longer passphrase using mixed alphanumeric characters and punctuation symbols would be required to make the job harder, but not impossible, for the hacker.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

1Password Business review: First choice for business travel and guest accounts
Security

1Password Business review: First choice for business travel and guest accounts

16 Jul 2021
Keeper Security review: Keeps corporate password management simple
Software

Keeper Security review: Keeps corporate password management simple

9 Jul 2021
Dashlane review: A very web-focused password manager
Security

Dashlane review: A very web-focused password manager

2 Jul 2021
LastPass review: Great to administrate, a little clunky to use
Software

LastPass review: Great to administrate, a little clunky to use

25 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
IT Pro Panel: Why IT leaders need soft skills
professional development

IT Pro Panel: Why IT leaders need soft skills

26 Jul 2021