Network Penetration Testing

Beyond Password Length and Complexity

Beyond Password Length and Complexity: Thanks to PCI-DSS requirements and other security standards that specify a minimum length and strength of password, most sysadmins now have the awareness and patience necessary to set up a basic password policy. However, many if not most systems still allow hackers to get a foot in the door by allowing compliant but still easy-to-guess passwords.

Analysis of 5,000 PCI-DSS-Compliant Passwords

Through a (now addressed) logging bug at a commercial site, I recently had the chance to analyze about 5,000 production passwords set by end users over the course of a year. All of these passwords could have passed cursory PCI-DSS muster (see section 8.5 of version 2.0), since they were more than seven characters long and contained both numeric and alphanumeric characters. In fact, all of these passwords were stronger than PCI-DSS minimums because they were all at least eight characters long, and all contained one upper-case letter, one lower-case letter, and one number. Many also contained special characters.

Password Length

Most of the passwords (61%) were right at the password limit, either 8 or 9 characters long. The average length was 9.6 characters, and the average password consisted of 1.1 upper-case letters, 6.1 lower-case letters, 2.2 numbers and 0.2 special characters.

Password Complexity

When an upper-case letter was used, it was almost always (86%) the only upper-case letter in the password, and it was usually at the start of the password. When lower-case letters were used, there were five to seven of them most (59%) of the time.

When numbers were used, numbers between zero and 99 were used most (63%) of the time and single numbers were very common (41%). Years were also very common, as evidenced by the high incidence (20%) of four-digit numbers, and most of these were in the range from 1900 to 2015. The current year (2013) was an especially popular (5%) password inclusion.

Although special characters (e.g., “!” or “#”) were not required, 17% of all end users included them. (This was good news.) In almost all cases (90%), only a single special character was used. The most popular special character sequences were all single characters: exclamation point (“!” – 29%), period (“.” – 19%), “at” symbol (“@” – 15%) and hash (“#” – 14%). These were followed by the single dash (“-”), dollar sign (“$”), space (” “), asterisk (“*”), and plus sign (“+”), each making up between 3% and 6% of the single-character special character population. Passwords containing multiple special characters mainly (68%) just repeated the same special character, such as “##” or “???.”

Password Predictability: Similar to Default Password

This was a system that sent a common fixed password to all end users, so I also had the chance to see if that was a factor in password selection. For example, if an initial password was “RedBlue1,” I looked to see which end users just changed their password to something like “RedBlue2″ or “GreenBlue1.” Unfortunately “similarity to original password” was a factor, with many (13%) end users opting for this pattern.

Password Predictability: Similar to Username

Since I was also able to compare username to their passwords, I could check for username/password similarities. For example, if a username was “john.smith@corp.com,” I looked for passwords like “John2013,” “JSmith13,” “!corp123.” Unfortunately, many end users (10%) did select a password that was striking similar to their username.