Interesting facts regarding passwords and what you should know about them
I was recently auditing some client systems and decided to try and brute force some passwords on Windows based systems to determine if people are choosing more complex passphrases. I set about using a GPU based system with two graphics cards and used a well known program called Hashcat to try and brute force the hashes.
Now I have mentioned in the past that using a wordlist to ‘guess’ user passwords or WPA passcodes can be done by anyone with enough horse power and a good list of pass phrases. When using GPU based cracking these wordlists go very quickly but unfortunately if you haven’t got the passphrase in your list it will fail.
Another alternative is to use all possible characters to try and brute force them. Although this process is sure to work because any combination of letters (upper and lower case), numbers and all of the special characters can push the permutations so high that it can take days or even weeks and months to brute force.
I decided that a subset of the brute force rule would yield some interesting results. What was the likelihood that people were picking pass phrases with only letters and numbers? I speculated that a cross section of my clients might represent an average sample to test with and the assumption that these results would represent an average of the population – my findings were a little staggering.
I found that with my Dual GPU based system, that I could crack NTLM hashes at a benchmark of approx. 18,000 Mh/s. This represent an extremely quick pattern matching ability which I used to create NTLM hashes that I could use for comparison.
From the Openwall site (current maintainer of the free John the Ripper software based cracking program);
Secure message length
Modern computer perform at 10 millions of NTLM hash/sec aprox. Some calculations:
There are 95 characters printable(this are almost all used in passwords).
With length = 7: 957/107 = 81 days
Lower case letter and numbers are 36.
With length = 8: 368/107 = 3.3 days
Lower case letter are 26.
With length = 9: 269/107 = 6.3 days
This simple calculations means that a NTLM secure password need to be at least 10 character length.
Since my little cracking system operates at almost twice that speed I set out to see if using the NVidia version of hashcat (cudaHashcat) could help determine how many users actually used less than 10 characters for a password (before my 75th birthday) AND if any of them used just numbers and letters (and not any special characters like !@#$%^&*()_-=+'”\|[]{}).
My system was able to find 9 passwords that were 7 characters in length in about 7 seconds. 
Another 6 were found that were 8 characters in just over 5 minutes. 
This represented approx. 15% so far and at 1 out of 8 passwords cracked already I was very surprised. We decided to let this experiment continue to 9 characters.
After approx. 3 1/2 hours we had found another 7 user accounts that were using just upper and lower case letters along with numbers as their password. We wanted to see just how many users actually were using the recommended 10 characters as a minimum password length for a Windows pass phrase so our test would require several days. After a couple more hours we have already cracked over 25% of the passwords used by a cross section of users. At our current speed we can have results for any combination of upper/lower case letter and numbers in about 6 days.
The surprising thing to this author is that some users who are not required to use complex password schemes just won’t. If you are wondering why this can represent such an outstanding risk to your organization I invite you to read more about the methods that are used to gain access to your accounts or to your networks in the following articles. They can represent a very real risk that can happen to you once even one account is compromised.
Imagine one of your colleagues sends you a link or an attachment in an email and you recognize them immediately. Maybe they even reply to an existing email with an attachment or some code embedded into the reply email. You don’t even have to open it, by previewing it at the office in your own environment you can become infected very easily.
Bad passwords can affect everyone – please choose wisely. You can check out choices for your new password from this site (https://www.grc.com/haystack.htm)
Security Analyst - Jeff Soehner CISSP, GXPN,GPYC,GMOB,GCIH 