Expiring passwords fail to lock out hackers
October 18 2010
Four in 10 passwords can be hacked in three seconds, according to US researchers. For years, expiring passwords have been the bane of a user's life and now research has been published showing the whole process was a waste of time. The team of researchers from the University of Carolina set themselves the task of hacking passwords based on past users at their faculty. The results have shown the ease with which a username/password combination can be broken - many in less than three seconds.
The authentication was based on a fixed user name, or "only name you'll ever need" (ONYEN) system, with a password which had to be changed within a given time. Using the freely available John The Ripper dictionary attack with just under 50,000 words gave some alarming results.
After successfully acquiring at least one password to 7,936 accounts by brute force, the team went on to find all the passwords for 54 per cent of the accounts and discovered at least half in 90 per cent.
The reason it had such a high success rate was users worked to simple rules when changing a password. The common use of adding a number to the base password and incrementing or decrementing the value either in steps of one or in jumps makes life easy for the hacker.
Other research has shown around 50 per cent of users favoured this approach.
The team used other but equally simplistic methods and reached a shocking conclusion.
"Even the most expensive password cracking effort required an average of only under three seconds per password that it broke," the team said. "In combination with the success rate for this configuration, we reach a fairly alarming conclusion: On average, roughly 41 per cent of passwords can be broken from an old password in under three seconds."
The team said they believed expanding the research to incorporate slightly more complex algorithms would see the success rates jump significantly.
In conclusion to the tests, the report said: "Combined with the annoyance that expiration causes users, our evidence suggests it may be appropriate to do away with password expiration altogether, perhaps as a concession while requiring users to invest the effort to select a significantly stronger password than they would otherwise choose."
By this, they meant that a much longer passphrase - using mixed alphanumeric characters and punctuation symbols - would be required to make the job harder, but not impossible, for the hacker.
View more news |