Password Complexity: Why It Makes a Difference in a Breach

By: Joel Carleton, CSID Director of Cyber Engineering

We’ve all heard that it’s important to pick long, complicated passwords. What you may not realize is why this becomes crucial in the context of a breach. While ensuring you don’t pick from some of the most common passwords is important, it’s still not enough. 

Some background information on how passwords work: while we still see websites storing passwords unencrypted (in this case, if you are part of a breach, the complexity of your password makes no difference), it is most common for websites to encrypt your password with a one-way hash. Put simply, this is a method that takes your password and transforms it into a long string of characters that is then stored in the website’s database. The website does not know your original password. When you log in to the website it applies the transformation and compares the long string to what it has stored in the database. If they match, then it knows you have entered the correct password.

When a company is breached, a common result is the selling and or sharing of that company’s user accounts. They could be publicly disclosed, shared in criminal forums and chat rooms, or sold to the highest bidder. The breached company may have taken steps to secure your account credentials, but the strength of your password can be your best friend or worst enemy. When a breach happens on a website where the passwords have been hashed, the criminal steals a list of user ids/emails and associated hashed passwords. They do not yet have your original password. The criminal has to decrypt the hash to retrieve the original password. While there are many sophisticated techniques at the criminals’ disposal, one of the most popular is referred to as the “brute force” method.  Every possible password is tried. Given the short and simple passwords that are routinely used, the criminal can quickly decrypt the majority of the encrypted passwords. 

To find out just how simple it is to decrypt a password, try to Google the encrypted hash of a common password, “d8578edf8458ce06fbc5bb76a58c5ca4”. It’s pretty easy to see what the original password is even without using brute force guessing software.

Let’s assume you’ve chosen something more complicated. For passwords with 6 characters, how many brute force guesses are necessary? Assuming your password at least has mixed upper and lower case letters, there are 19 billion possible passwords. There are two things that make cracking this type of password trivial for the criminal:

  1. They do not have to attempt to log in to the website for each of their guesses. It would be impossible to make the necessary number of attempts to log in. They are able to make as many guesses as they want without anyone knowing what they are doing because they have the hashed password. 
  2. Computers are very good at making very fast guesses. An average computer with an upgraded graphics card can make 500 million guesses a second.   Your 6-character password length can be guessed in 38 seconds or less. Adding numbers and the full set of non-alphanumeric characters, the password can now be guessed in 26 minutes or less. 

Parting advice: the easiest way to make your passwords better is to make them longer (at least 9 characters).  If you still use only alphanumeric characters but your password is 10 characters, a criminal would need over 18,000 days to crack it. Hopefully he won’t have this much time on his hands and will move on to an easier target!



Leave a Reply