White-hat hackers lifted 560,000 corporate passwords in 31 days. We're all screwed

The password you use to log into your company network likely sucks.

That’s the maybe-not-so-astonishing revelation from a group white-hat hackers who probe for vulnerabilities in corporate networks for a living. Over the course of a year, the hackers at Trustwave attacked more than 626,000 accounts throughout corporate America and were able to successfully crack more than 560,000 of them in less than 31 days.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1527952,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"C"}']

“Password1” was the most common word-and-number password people used for logging into their work networks. That was followed by “Hello123” and then, simply “password.” This sad state of affairs directly contributes to successful network penetration. These findings are more than a nightmare for system administrators tasked with monitoring company systems in a bid to keep them safe.

“It’s a weak link in the chain,” said hacker Karl Sigler, manager of threat intelligence at Trustwave, a security outfit headquartered in Chicago.

Sigler and his posse started the research by surreptitiously combing active employee directories running on Window-powered machines. They then launched blitzes against employee password boxes, mainly sending employees infected links through social engineering and phishing attacks in a bid to get them to click.

For Sigler and his aggressive team, breaching company’s credential servers and network firewalls was like shooting fish in a barrel.

“We had a 100 percent success rate getting access to networks. We found serious, if not critical, vulnerabilities in the networks themselves running penetration tests. The number one used password was a capital P ending with the numeral 1. Password1,” Sigler said.

And the takeaway?

“Obviously it’s a horrible password,” he added.

According to the authors of this eye-opening report itself, which you can read here:

[aditude-amp id="medium1" targeting='{"env":"staging","page_type":"article","post_id":1527952,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"C"}']

We set out to determine how easily we could crack a sample of 626,718 hashed passwords we collected during thousands of network penetration tests performed in 2013 and some performed in 2014. The majority of the sample came from Active Directory environments and included Windows LAN Manager (LM)- and NT LAN Manager (NTLM)-based passwords. We recovered more than half of the passwords within just the first few minutes. We eventually cracked 576,533 or almost 92 percent of the sample within a period of 31 days.

What this study shows is many people are stupid. At least when it comes to passwords used at work. The Trustwave study showed that short combinations of lowercase and uppercase letters, with one or two numbers thrown in, is not the best way to lock down your protocol. Increasing the length of the password is one way, using word and numerical combinations to make it harder for the baddies.

“In this day and age, in a corporate environment, people are still picking easy passwords. This is the number-one thing that needs to be addressed in a corporate environment,” Sigler said.

The problem is that many employees reckon, and rightly, that longer and more complex passwords are harder to remember, the Trustwave team told VentureBeat. So they pick easy ones, like a dog’s name.

But the more you talk about your dog for example, through email or social media, means hackers are zeroing in on you through your forensic trail. In other words, hackers can guess, without having to launch a social engineering attack, what your password might be.

[aditude-amp id="medium2" targeting='{"env":"staging","page_type":"article","post_id":1527952,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"C"}']

And once in, the damage begins. The report clearly states:

Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure. The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password.

Sigler and his team used two computers to do the hacking and cracking. According to Sigler, Trustwave built the first machine for $1,800, which used an Intel Core i7 Ivy Bridge Quad Core Processor, 16 gigabytes of RAM and two AMD Radeon 7970 graphics cards. The second machine included an AMD FX-8320 8 Core Processor, 16 gigabytes of RAM and four AMD Radeon 7970 graphics cards that cost $2,700 USD.

The real culprit in the successful penetrations, however, was a graphic processing unit, or GPU. The graphics card can perform billions of calculations per second, as opposed to what Sigler said was a traditional processing unit, or CPU.

For example, a AMD Radeon 7970 graphics card costs $350 “can perform 17.3 billion NTML hash calculations per second compared to an Intel Core i7-3770K CPU priced at $320 USD and overclocked by 700 MHz that can only perform 246 million NTLM hash calculations per second.”

[aditude-amp id="medium3" targeting='{"env":"staging","page_type":"article","post_id":1527952,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"C"}']

Security experts said that while incorporating two factor authentication can help make the job of hackers more difficult, its not the end all. Sigler said that while two factor is not cost effective for every circumstance, it can go a long way in deterring hackers looking for banking and health records, for example.

Sigler wisely wouldn’t talk about who his clients are but said they’re ones we’ve all heard of and have relationships with, like Fortune 500 outfits and government agencies. As for Trustwave, it’s based in Chicago and employs 1,110 people.

Sigler has a word for the wise — or those who have been burned.

“If two-factor authentication cannot be implemented for some reason, then longer pass phrases are more secure than shorter passwords using complexity rules like extended characters, numbers and the like.”

[aditude-amp id="medium4" targeting='{"env":"staging","page_type":"article","post_id":1527952,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,","session":"C"}']