Passwords & Multifactor Authentication: Are they strong enough for today's adversaries?

Hive Systems recently released a table which outlines the time it takes to brute force a password in 2023. Let's take a look at our our password security requirements measure up.

David Kuan-Celarier
September 13, 2023

Hive Systems recently released their updated table (below) of the time it takes to brute force a password based on the length and complexity of the password. The Hive Systems article tagged in the table image (hivesystems.io/password) is a very technical but informative 15-minute read, and worth taking the time to look through. In Hive's explanation of how they determined the table content, they discuss how the advancement of GPU technology parallels the ease for hackers with large tech budgets to circumvent hash protection methods. Though the bad guys are becoming more capable, we should not immediately jump to concern.

Hive Systems table of Time it takes a hacker to brute force your password

Hackers have many techniques at their disposal to infiltrate your systems. Social engineering attacks and phishing scams are becoming more commonplace. Brute force attacks that target servers where passwords are stored can be more efficient because unlike social engineering and phishing scams, they don't require an unsuspecting victim to give up a credential. So why not be worried? Simple methods and practices, good cyber hygiene, and regular security upgrades can prevent many of these methods from being successful at accomplishing their goals.

It’s easy to forget or lose passwords as there are hundreds we regularly create for all sorts of online accounts, not just the ones for work. Many of us are tempted to make them easier to remember or record them in places we shouldn’t. Implementing stronger password requirements makes maintaining passwords more difficult, but as the chart shows, makes things exponentially more secure. Understanding when additional complexity is needed and making sure your employees are aware of the importance of password security and complexity are paramount for protecting your sensitive information.

Passwords

Weak passwords contain less than fifteen characters; are a single word from any language dictionary; a name; a common usage term (think computer command or fantasy term); contain PII like a phone number; feature letter or number patterns; or are the reverse of any item in this list (drowssap) with a single number after. Stronger passwords are long; contain a variety of letters, numbers, or special characters; and feature a variety of capitalizations. Additionally, the use of passphrases, multiple words strung together forming a run-on (IamTheWalrus), provides better protection against common breach methods like brute force or dictionary attacks. It’s also recommended to avoid using characters that resemble letters in place of them (e.g., p@s$w0rd).

After choosing a strong password, you should also observe the following guidelines for retaining that password:

  • Never write your password down where someone else can discover it.
  • Never tell anyone your password, no matter how close you are. Especially never tell your password to someone claiming to be an admin for a site, software, or application you are using. A legit representative will never need it.
  • Do not recycle passwords—keep different passwords for different accounts and do not reuse passwords that may have been compromised before.
  • Do not use the password-saver function of any web browser or application.
  • Change your password often and never share it with anyone else.

Password Managers

If you are overwhelmed by all the passwords in your life, many cybersecurity experts now suggest password managers. These ‘data vaults’ can keep a plethora of information and are designed to apply your passwords, PII, and online profiles safely into auto-fill forms through browser extension. You just need to remember a single password to access your vault. The Rochester Institute of Technology notes that password managers “[allow] you to use truly random combinations in all of your passwords, making them much harder for malicious users or bots to crack. Password managers also protect you from giving away private information inadvertently.” There are several free and pay-to-use applications that are popular; Cnet.com suggests Bitwarden, LastPass, and 1Password. However, before you commit to a password manager for all of your passwords, check to see if using one is appropriate for your work. You may need permissions before using the browser extensions.

Multi-Factor Authentication

It’s more than likely that you’ve seen, heard of, or currently use multi-factor authentication (MFA). MFA is a cybersecurity concept that requires multiple methods to confirm your identity. In addition to a password or challenge question, MFA might also involve a tool that you possess like a hard token (i.e., YubiKey or CAC) or soft token (generates a disposable passcode), and/or a unique personal characterization like a biometric value (e.g., finger or voice prints). Implementing an MFA is a simple but effective way to ensure that even if a password is acquired by a brute force attack, it won't be enough to compromise your system.

Even with the alarming speed at which we are evolving our technology and nefarious parties are harnessing those capabilities to do harm, you can't live your life or operate your business in constant fear. As quickly as new threats arise, new methods of subverting attacks and increasing security are emerging. Keeping informed and not making assumptions about your cyber hygiene can help you stay ahead of the game. Talk to cybersecurity experts and get an evaluation of your information system(s) to make sure you haven't overlooked an exploitable vulnerability like weak password requirements. IntelliGRC is always here to chat if you have questions.

---------

David Kuan-Celarier is a documentation specialist at IntelliGRC. David creates content to support the GRC SaaS platform and other mixed initiatives. We are happy to provide free consultations and, pending an engagement, can do configurations and testing for you as well!