Are Hackers Really Cracking 20-Character Passwords?

In the recent KnowBe4 password whitepaper/e-book (https://info.knowbe4.com/wp-password-policy-should-be) that I authored, I recommend that all users, when creating user-created passwords, make sure they are 20 characters or longer. My overall password advice is below:

Not surprisingly, a lot of readers have asked me if it is really necessary to have 20-character or longer passwords. Are hackers really guessing 18- and 19-character passwords?

The quick answer is YES!

But as with all things, it is a little more complicated than that. First, the threat that requires super long passwords is password hash cracking, where an attacker has been able to obtain password hashes. There are lots of ways to steal passwords, the most common being social engineering, where the attacker does not care about the length or complexity of your password. Most password attackers do not care what your password is, they just take and steal it.

Password hash cracking requires that an attacker first obtain your password hash. In most instances, in order to obtain your password hash, an attacker has already obtained the penultimate super access to your system or network. They are local Administrator, Domain Administrator, LocalSystem, or root. They are computer gods! They can do anything the software and hardware of the exploited system is capable of, including get your password hash. It is already game over and cracking your password hash to your plaintext password is just one of your many problems.

There are a few edge cases, like this (https://www.csoonline.com/article/3333916/windows-security/i-can-get-and-crack-your-password-hashes-from-email.html) and Kerberoasting (https://www.crowdstrike.com/cybersecurity-101/kerberoasting), where an attacker does not need to have the penultimate security access to your system or network to get the hash, but those types of attacks are not super common (although they do absolutely happen in the wild).

There are no official statistics on what percentage of password attacks include the attacker gaining access to your password hashes and cracking them, but it is probably far less than 5% of all password attacks. It could even be less than 1% of overall password attacks. But that small percentage should not be ignored. There are many hacker groups, including ransomware groups, that include password hash cracking as part of what they do most of the time when they access a new exploited environment. The serious, professional cybercriminal groups that want to steal a lot of money or create a lot of damage, love password hash cracking.

A hacker can do a lot with a password hash (without cracking it back to its plaintext equivalent), especially in a Microsoft Windows or Active Directory environment (i.e., pass-the-hash attacks, etc.), but obtaining a plaintext password, instead of just the hash, gives the attacker more options. For example, they can logon remotely to online logon portals, collect email, and use the found password to attempt more logons at other unrelated sites and services where the compromised user may have shared the same password.

If an attacker has your password hash and wants to crack it (i.e., guess at it to convert it back to its plaintext equivalent), given today’s superfast password guessing computers, it takes a very long and complex password to keep the attacker from being successful.

How fast is superfast?

Some password hash cracking rigs can do over a 100 trillion password hash guesses per second!

There are no official statistics on this either, but I would guess that the average password hacker can guess at an NT password hash (NT hashes are used in Microsoft Windows) at least a trillion guesses per second. How long would most of your human-created passwords stand up to trillions of guesses per second much less hundreds of trillions of guesses per second? For most user passwords, the answer is not long.

There are probably hundreds, if not thousands, of password guessing teams who can guess at NT password hashes many trillions of times a second and many teams can guess in the tens of trillions of times a second. Attackers can get tens of trillions per second of guessing power for less than $200 per hour using popular cloud providers. It is believed that many nation states have the capability to guess up to many hundreds of trillions of times a second.

If an attacker has the ability to do trillions to tens of trillions of guesses per second, most human-created passwords would fall fairly quickly. As a side note, we think that an 11 character, PERFECTLY RANDOM password would withstand even hundreds of trillions of guesses per second (at least for many years or longer), but who knows what type of power nation states really have.

Password Guessing vs. Password Hash Cracking

Password hash cracking is tremendously fast, because the attacker has stolen the victim’s password hash and can guess at the password hash, "offline", as fast as their hardware and software allows. They do not have to worry about account lockout, guess throttling, server-side response times, or network latency.

Password guessing is when the attacker is guessing at a potential victim’s password at a regular, online, interactive, logon prompt. Password guessing is typically much slower. Given any regular online logon prompt, a password guesser can only guess maybe, at best, a few hundreds to thousands of times a minute per logon instance. Most online, interactive, password guessing attacks are much slower--maybe a handful or two per minute per allowed attack instance. And if the victim’s logon service has account lockout or any type or rate throttling enabled, as is usually the cased, then the guessing has to proceed much, much, slower.

The longest successful, publicly known, online, interactive, password guessing attack I am aware of is where hackers successfully guessed was a 10-character password, “Welkom2020”, in 2021 (https://www.world-today-news.com/municipality-of-hof-van-twente-hacked-by-simple-password-welkom2020-now/). The attackers were allowed by the lax defenders to guess at over 100,000 times a day for over a year. There have, for sure, been longer passwords broken by attackers on online portals, but it says something that the longest, publicly known, online, password guess compromise is ten characters. A 12-character perfectly random password would likely stop all known password guessing and cracking attacks, even if there was unlimited guessing.

Here is the predicted length of protection that various password hashes would give you against a password hash cracking rig capable of doing 45 trillion guesses per second (taken from https://t.co/NKYIrKwUDb):

So, it would take an attacker with 45 trillion guesses per second 5.6 years to break an 11-character perfectly random NT password hash (effective speed of 32 trillion guesses per second). A 12-character perfectly random NT password would take 538 years.

Also, it is very important to note that typical Linux/Mac password hashes (SHA2-256) are far more protective than Windows NT hash. The most secure OS’s, like OpenBSD, which use’s BCRYPT, are really protective. If you use an OS using SHA1, SHA2, or BCRYPT password hashes, then your passwords don’t need to be 20-characters long. How long should they be? With SHA2 and BCRYPT hashes, at least 12-characters to offset unlimited online password guessing and password hash cracking attacks. But that may not be enough. But in general, not as long as they need to be for Windows systems.

Password Hash Cracking Reality Today

The problem is that most user passwords are not perfectly random. They are the opposite. Most people’s passwords, even if they think they are “complex” are not that hard to guess. Most human-created passwords, 12 characters and below, fall quite fast to average, every day, attacks (same day). Some tougher passwords might take a few days, and this is even by just one trillion guesses per second speed attackers.

I have penetration testing friends, with one to ten trillion guesses per second capability, who routinely break 18-character human-created passwords. But all of these guessed/cracked passwords have fairly predictable commonalities. This means the passwords are mostly lowercase letters, with one or a few uppercase characters with one to four numbers (usually at the end). Many of the guessed passwords, like “Welkom2020 “above, include the current year in them with two or four digits, often at the end. Usually, the first character of the password is an uppercase character, usually a consonant, followed by a lowercase vowel.

In longer passwords (also passphrases, passsentences, etc.), many of the included words are fairly common and can be found in a list of the 1000 most commonly used passwords. Many of the password guessers are guessing using dictionary words and numbers, and are quite successful at cracking the longer passwords.

What shocked me recently, was that my same friends with password hacking experience were cracking 20-character or longer passwords, even if the passwords had decent complexity. How did they do it? They did it by first searching for the user’s logon names and passwords out on the many stolen password dump lists located on the Internet and darkweb. If you did not know this, there are tens of billions of people’s logon names and passwords out on the Internet that anyone can access. My friends use a password dump querying tool (like recon-ng) to query all the big password dump lists for logons on their intended targeted company. They will usually find at least several handfuls of accounts for each target organization, which includes either the user’s currently used password, or some previous password. They will try using the found password as the current password or do some simple updating based upon noticed patterns. For example, the user may include the year in their password, and so even if the password is old, say “Welkom2020”, the hackers will try Welkom2022. Using this method, they are routinely breaking 20 character and longer passwords.

The lesson here is that you should not be using passwords based on previous passwords. You are just asking for trouble. The average person has four to seven passwords that they use/share on over 170 different websites. Each year, probably two of those web sites have their user logons and passwords stolen. You may or may not know this happened. If there is an old password or password pattern that the attacker can see, it can make guessing at the user’s current password trivial…even if the victim’s password was super long, complex, and unique.

So, what’s a user to do?

Well, follow my password advice above. Use phishing-resistant multi-factor authentication (MFA) where you can and then use a password manager, with truly random, unique, passwords for every site and service where you cannot use MFA. No one wants to create super long passwords…and password attackers are showing that if passwords are not unique or follow a suggestive pattern, they can use them against potential victims in a password guessing or cracking attack. Human-based passwords are just really poor choices for protection, so avoid them if you can.

Use MFA and password manager-created perfect random passwords wherever you can. That’s the ticket.