Virtualization Technology News and Information
Protecting Your Passwords: Expert Q&A with Darren Siegel of Specops Software on Mitigating Password Security Vulnerabilities and Outsmarting Password Crackers


Are your passwords strong enough to withstand the relentless attacks of hackers and password crackers? In this insightful Q&A article, VMblog has the privilege of speaking with Darren Siegel, a renowned expert from Specops Software, who sheds light on effective strategies to combat password security vulnerabilities.

Curious about what it takes for an attacker to crack a password? Darren sheds light on the subject, explaining that it depends on various factors, including password complexity, length, and the attacker's resources. With advanced tools and techniques, attackers can attempt to crack passwords by brute force, dictionary attacks, or leveraging stolen password databases. Therefore, it is crucial for individuals and organizations to prioritize strong, unique passwords to thwart these malicious attempts.

Read this Q&A session with Siegel, as we dive into explanations and more strategies and insights on fortifying your password security against the ever-evolving threat landscape.

VMblog:  What are password cracking techniques used by attackers?

Darren Siegel:  One of the biggest security threats is password cracking and there are many methods used by threat actors to crack passwords. Some common techniques include:
  • Brute Force attacks - one of the most popular methods to crack your passwords that attempts every possible combination of letters, numbers, and symbols. The brute force method sometimes takes longer, but its success rate is rather high.
  • Dictionary - a systematic method of guessing a password by trying many common words and their simple variations.
  • Credential Stuffing - automation using stolen usernames and passwords obtained in a breach or purchased off the dark web to access user accounts.

VMblog:  What does it take for an attacker to crack a password?

Siegel:  The easiest and most common way that hackers get passwords is from data breaches, in which huge amounts of user data has already been leaked or stolen from companies. Stolen passwords can also be purchased on the dark web.

However, attackers rarely get access to plain text passwords in breaches and are more likely to have to use password cracking techniques to retrieve the actual password or data as it's likely to be hashed in some way. Though the techniques themselves are essential to know, many password crackers rely on readily available tools. Different hashing algorithms take different amounts of time, software and hardware to crack. MD5 is still among the most frequently cited hash algorithms in found leaks.

VMblog:  What type of password is hardest to crack?

Siegel:  When an attacker has the right tools and techniques, poorly constructed passwords can be cracked in under a second. From an analysis done by Specops Software on how long it takes to brute force guess passwords hashed with MD5, selecting a combination of uppercase and lowercase letters, numbers, and symbols that is over 12 characters long will take over 26,500 years to be cracked. 12 characters long (longer is even better) and include variations of letters, numbers, symbols.

Take a look at how long it might take a criminal to brute force guess passwords hashed with MD5 in the table below:


Data in above table retrieved base off the following assumptions:

  • Hardware: the Nvidia RTX 4090. To generate this data, we are using a hypothetical system comprised of 4x Nvidia RTX 4090s. This is a setup that is approachable for bad actors that might be attempting to use password leaks to achieve access to an organization's accounts.
  • Software: Hashcat. Generally, a stock RTX 4090 will achieve approximately 164 GH/s in Hashcat (that can be thought of as 164 000 000 000 password guesses/second).

VMblog:  What are ways to reduce the password security vulnerabilities associated with password cracking?

Siegel:  With the growing technology that helps evolve password cracking and cyber-attacks related to stolen credentials, it is essential to do the following to protect your organization and end-users:

  • First and foremost, compare against a list of already stolen/compromised passwords.
    • Download the free tool, Specops Password Auditor to scan your Active Directory for over 940 million unique compromised passwords.
  • Decrease the arbitrary need for password complexity and focus on overall password length. For example, looking at the above chart: an eight-character password comprised of lowercase, uppercase, numbers and symbols only takes 12 days to crack whereas a 15-character password compromised of lower and uppercase letters takes 2 million years to crack.
  • Do not reuse passwords across different services to avoid attacks such as credential stuffing. When end users reuse their passwords on external sites and applications it creates a greater vulnerability if that password is hacked.
  • Do not use commonly used base terms in your passwords, such as company name, city, sports teams, keyboard walks, etc. This makes it easier to guess passwords.

VMblog:  How can organizations help users create stronger passwords?

Siegel:  Enforce a stronger password policy so you're not reliant on the behavior of your end-users.  Specops Password Policy helps users create stronger passwords in Active Directory with dynamic, informative feedback at password change. This feedback is particularly useful in cutting back on helpdesk support for password change, as well as teaching sustainable password hygiene.

Plus, with Specops Password Policy you can extend the functionality of Group Policy and simplify the management of fine-grained password policies. Access features such as custom dictionaries, unique and customizable password policies, and the ability to block over 3 billion compromised passwords to help your organization automate a stronger password policy.


Published Thursday, June 08, 2023 7:31 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<June 2023>