Serious Discussion Do longer passwords protect you from compromise? [New research by Specops]

[Ink]

New research from Specops Software has found that even passwords 15 characters long make it into the top ten of the most common password lengths to be compromised (placing eighth). The most compromised length was eight characters, accounting for 212.5 million out four billion in the company's Breached Password Protection Database.

Specops calculates that to crack an eight character password, even those that contain numbers and both upper and lower case characters, can take a mere five minutes. On the other hand, a 15 character password can take up to 37 million years to crack.

However, the report warns that this "shouldn't give organizations a false sense of security, as this is only part of the password security battle." For instance, it won't matter if the credentials are stolen via phishing attacks.

Story via Bad news - turns out even long passwords can be cracked easily

---

[New research] Do longer passwords protect you from compromise?

New Specops research looks into the data around longer passwords. Learn how they boost cybersecurity and where hackers can get around them.

specopssoft.com

We wanted to know the most common length of a compromised password, and how many longer passwords were being breached. To find out, the Specops research team analyzed the lengths of over 800 million compromised passwords (a subset of our larger Breached Password Protection list of over 4 billion unique compromised passwords). For the purpose of this research, we considered a password over 12 characters to be long.

Compromised password lengths: The results​

In descending order, these are the eight most common lengths for compromised passwords. As expected, 8 characters (212.5 million total compromised passwords were 8 characters exactly) is at the top – likely because it is the default password length in Active Directory. You can also see that as character length increases, the total amount of compromised passwords decrease. However, this doesn’t mean we’re talking small numbers.

1. 8
2. 10
3. 9
4. 11
5. 12
6. 13
7. 14
8. 15

The below table shows how many compromised passwords we found above five given lengths. If we’re counting 12 and over as a ‘longer password’ then 121.5 million compromised passwords were found to be long. As you can see, the number of compromised passwords does decrease as character length increases, but there are still 31.1 million compromised passwords over 16 characters in length.

This shows that having longer passwords doesn’t protect you from attacks. Even if the total numbers are smaller compared to 8-character passwords, these numbers still represent tens of millions of opportunities for attackers to breach organizations using longer passwords.

Blog: [New research] Do longer passwords protect you from compromise?

 

[I Walk MY Way]

Nice read, I have faith in my 27 character long passwords they might get compromised but it will take a lot of time for that to happen,

 

[SpyNetGirl]

*Laughs in passwordless*

FPGAs (Field-programmable gate array) can probably bring that 37 million years to months...

Although probably the biggest protection is through anti-hammering features such as TPM, when for example talking about BitLocker password

 

[ForgottenSeer 103564]

There are brute force attacks, social engineering, malware "Key Logging/Screen Scrapers" and as stated Phising. Grabbing the hash for cracking tools,ect. Using a GPU as already stated or even a botnet can certainly speed up the process. There are plenty of free tools available for cracking passwords. Ones best bet is to make them substantially harder to do by using enough symbols and different characters. Using reliable password managers help with creating and storing of, and if applicable, always use two-factor authentication as it will be a serious pain in the arse for any hacker.

 

[wat0114]

If you look at the "Time to crack MD5 Hashed Passwords" chart from the Specops link, even a 12 character password using upper, lower, number and symbolism takes 26.5 thousand years to crack.

 

[ForgottenSeer 93475]

For a long time, I thought that attacks on complex passwords required advanced equipment that was not available to the general public, But here is a company that provides trial-grade software that does just that

Elcomsoft Distributed Password Recovery | Elcomsoft Co.Ltd.

Break complex passwords, recover encryption keys and unlock documents in a production environment.

www.elcomsoft.com

 

[Viking]

All my passwords are 90+ (alpha/numeric & symbols) characters long

 

[ForgottenSeer 103564]

All my passwords are 90+ (alpha/numeric & symbols) characters long

I can imagine its hard finding website accounts that accept that many characters.

 

[oldschool]

This guy's done the math and keeps it simple!

GRC's | Password Haystacks: How Well Hidden is Your Needle?

Password Haystacks: How Well Hidden is Your Needle?

www.grc.com

Here are the test results for one of my passwords:

Time Required to Exhaustively Search this Password's Space:

Online Attack Scenario: (Assuming one thousand guesses per second)​	2.94 hundred trillion trillion centuries
Offline Fast Attack Scenario: (Assuming one hundred billion guesses per second)​	2.94 million trillion centuries
Massive Cracking Array Scenario: (Assuming one hundred trillion guesses per second)​	2.94 thousand trillion centuries

And this is using only two of four categories: upper case, lower case, numbers and symbols!

 

[I Walk MY Way]

one of my passwords 1.44 hundred trillion trillion centuries

 

[mlnevese]

one of my passwords 1.44 hundred trillion trillion centuries

I can wait... I'm not in a hurry

 

[plat]

Here are the test results for one of my passwords:2.94 hundred trillion trillion centuries
And this is using only two of four categories: upper case, lower case, numbers and symbols!

And to think our Milky Way and the Andromeda galaxies are set to collide in *only* 4.5 billion years. Very forward thinking of you, oldschool.

 

[JoeN]

The length of my password is generated by busy beaver function of n-state Turing machines

 

[jetman]

If a database is hacked and the passwords are stored in plain text then it doesn't matter how long or complex the passwords are.

I think this is why the research shows so many long passwords being compromised. Unless some of the passwords are based on dictionary words (making them very simple to break) or are re-used passwords that were already on dark-web lists?

However, if a database is hacked and the passwords are strongly encrypted, then longer and complex passwords will almost certainly remain safe. Realistically, it is only short and simple passwords (or those based on dictionary words) that would be vulnerable to cracking.

 

[codswollip]

Don't get too comfortable. This data is based on today's computational power, which is growing exponentially. Within 5 years, 16-chracter passwords will drop in seconds.