Are Your Passwords Safe?

The number one way hackers get into protected systems isn’t through a fancy technical exploit. It’s by guessing the password. Believe it or not? So, are your passwords safe?

That’s not too hard when the most common password used on business systems is “Password1.”

There’s a technical reason for Password1’s popularity: It’s got an upper-case letter, a number and nine characters. That satisfies the complexity rules for many systems, including the default settings for Microsoft’s widely used Active Directory identity management software.

Security services firm Trustwave spotlighted the “Password1” problem in its recently released “2012 Global Security Report,” which summarises the firm’s findings from nearly 2 million network vulnerability scans and 300 recent security breach investigations.

Around 5% of passwords involve a variation of the word “password,” the company’s researchers found. The runner-up, “welcome,” turns up in more than 1%.

Easily guessable or entirely blank passwords were the most common vulnerability Trustwave’s SpiderLabs unit found in its penetration tests last year on clients’ systems. The firm set an assortment of widely available password-cracking tools loose on 2.5 million passwords, and successfully broke more than 200,000 of them. Adding complexity to your password — swapping “password” for “p@S$w0rd” — protects against so-called “dictionary” attacks, which automatically check against a list of standard words.

A seven-character password has 70 trillion possible combinations; an eight-character password takes that to more than 6 quadrillion.

Even a few quadrillion options isn’t a big deal for modern machines, though. Using a $1,500 computer built with off-the-shelf parts, it took Trustwave just 10 hours to harvest its 200,000 broken passwords.

Microsoft have a password management system available at http://passwordsafe.sourceforge.net/ – this may help you to simplify things.

So now that the New Year is here, it is probably a good time to change those passwords to something a little more complicated (for the hackers) and rest easy knowing your data is safe.