Check out the latest statistics on password cracking, and simple steps you can take to implement a robust password policy for your organisation.
Passwords are the gateway to your IT estate and all the assets you hold, including financial information, employee details, and sensitive or proprietary business data. Even in 2018 – when cyber attacks make daily headlines – many employees still use weak passwords, making it remarkably easy for cyber criminals to crack them. This can often place employees at the center of blame when attackers successfully compromise an organization.
Our latest password statistics:
Password cracking involves using hashed or ciphered passwords to an employee’s credentials, usually as the first phase of a wider cyberattack. A large, well- known organization recently engaged phishd to conduct a password audit of its employees using password cracking techniques. Of the 6,000 passwords we tested, here is what we found:
- We successfully cracked 73%;
- 35% of the passwords were derived from the organization’s name – e.g. using pHiShd!;
- 80 passwords derived from the word “password”.
Implementing a robust password policy
Encouraging good organizational password security is based both on policy and technology. On the policy side, organizations should mandate that:
- Standard user passwords should be at least 10 characters;
- Privileged user passwords should be at least 14 characters;
- Passwords should not be changed more frequently than every 6 months (evidence shows frequent password changes result in weaker passwords).
From a technical perspective, organizations should:
- Blacklist common/easy words and their derivatives;
- Make multi-factor authentication mandatory;
- Use exponential back-up algorithms to limit the rate at which an IP address or user account can attempt to authenticate, in order to reduce the speed at which brute-force attacks can be run.
- Equally important is ensuring that these policies are communicated effectively throughout the organization.