Why you need to make your passwords more complex

Just for kicks, and because I want to play with, and rationalise to myself, my new toy (a shiny new password cracking rig), I ran some Windows domain NTLM hashes through a password cracking program. I haven’t checked that they’re representative of the usual, so don’t treat this as anything more than an anecdote.

What I found

Laptop with Geforce 760M (laptop cost approx £950, about a year old)
With a decent wordlist and some adequate rules (oclhashcat’s best64.rule), 56% of the passwords were cracked in 2 and a half minutes on a laptop.

Geforce 970 (whole computer, inc card for a shade under £600)
With a kind-of brute-force search, 50% of passwords were in under ten minutes. The speed is around 10bn guesses per second.

Or if we use a good word list and a proper set of rules, 88% were cracked in about 5 minutes.

And we can wring a few more out with a hybrid attack, with another 11 minutes getting us up to 92%.

In this case, I’ve generated a dictionary of all the possible cases variations (“case”, “Case”, “cAse”, “cASE”, etc.) including what is affectionately known as “leetspeak”, which means things like “c4se”, “cas3”, “ca5e”, where a similar looking digit is substituted for a letter. The attack tries all the dictionary words, together with a “mask” of every two letter combination possible on the end of the characters.

Notice this is running a bit slower than the first attack as I haven’t tuned it as fully as I should have.

Even worse, on this particular machine, it would only take a week to search the entire space of 8 character passwords.

We got a few more by reversing the mask attack which is trying each combination of two characters on the start of the dictionary words.

That’s about 92%, or eleven out of every twelve password, recovered in about an hour during my lunch break. It’s not ideal.

Things get worse if you’re looking at a single password hash rather than a list with this particular graphics card – it will only take 4 days to search all 1-8 character possibilities for a single hash.

Advice. Really good advice

So, please use long, complex passwords, not based on dictionary words. It’s not good enough to take a dictionary word, swap e to 3, a to 4, o to 0, etc. and then stick a random punctuation character on the end. “S3cr3t!” isn’t going to last very long as a password. Better is to take initial letters of a phrase, or indeed to use a passphrase of several words together with a few variants or punctuation marks. (No, not “correcthorsebatterystaple”!).

If you’re an administrator consider enforcing a minimum length of 10 characters or more for NTLM passwords.

If you’re a UNIX administrator, make sure you have a decent password policy and use the best password hashing algorithm you can.

Of course, this does only matter if you get your list of password hashes compromised, but it’s better to think of security as a layered approach rather than rely on any one mechanism to protect you.

In a similar vein, it takes an hour and a half on my laptop to go through all WPA passwords which are only 8 digits; this means that 8-digit WPA passphrases are not very safe these days. Use at least 8 character alphanumeric strings for your wireless passphrase.