Weak passwords are not defined by specific characteristics alone, such as the number of characters in the password or the types of characters. They are defined by characteristics in the context of computing power and capabilities. For example, in the 1970s and 1980s, a five- or six-character password would have been very resistant to attack but, today, such a password can be cracked in seconds by many systems. Therefore, what was sufficiently long thirty or fourty years ago is no longer sufficient today.

Therefore, weak passwords are defined by specific characteristics in context. The bad news is that the context is ever changing (well, this is good news if you want or need lots of computing power for non-malevolent goals). We had computers in the 70s and 80s that were measured in kilohertz and megahertz, with no commonly accessible systems operating near or above 100 megahertz (computer speeds are measured in hertz and kilohertz is the metric where 1 kilohertz is a thousand cycles per second, 1 megahertz is a million cycles per second, and 1 gigahertz is a billion cycles per second). In the 90s, we saw the flood of systems that operated at or above 100 megahertz, particularly in the second half of the decade. From the year 2000 and beyond, we have measured most standard computer processors in gigahertz ranging from 1 gigahertz to more than 4 gigahertz today. Additionally, multiple cores were added ranging from single core to 12 cores or more.

The trend will continue, though some experts predict that it will slow its progression until quantum computing takes off. Also, many newer “computing devices” operate below 100 megahertz again today as they are specialty computing devices ranging from the computers in your refrigerator to those that control automobile electrical systems and features.

If the trend is for the increase of speed in computing to slow and for many newer devices to intentionally use slower processors, does this mean that we will also see a reduction in the continual increase of password length and complexity to battle the increased processing power? The answer is a firm no! The reason is simple, let me explain.

In the 1980s and for most of the 1990s, we were concerned about the processing power of a single computing device. With the proliferation of the Internet, we must now be concerned with combined processing power. For example, imagine that an industrial plant has one thousand IoT devices that each contain a 50 megahertz processor. If an attacker finds a way to gain control of all of these IoT devices, she will have 50 gigahertz of processing power at her disposal. Even if we assume some significant consumption of the processor for other tasks so that only half of the capabilities are left for the attacker, she still maintains 25 gigahertz of processing power.

Now, expand this to the Internet (and not just the local IoT network). If the attacker can find ten similar networks of these IoT devices that she can control and that have access to the Internet, each averaging one thousand devices per network, she now controls between 250 gigahertz and 500 gigahertz of processing power.

In addition to the availability of Internet-connected devices, attackers today can use GPUs (Graphics Processing Units) available in many systems that are designed for graphics processing, which is numerically intensive, but work phenomenally well for password cracking. The overall point is simple: attackers will continue to find ways to crack ever longer passwords faster and faster.

As an example, Hive Systems released a table showing the required length of time to crack passwords in 2020 and they updated it in 2022. The original table was based on a GPU available in 2020 and the new table was based on a GPU (faster) available in 2022. The result was that, in the two years between the two reports, the required length of time to crack passwords was reduced by 35-40 percent. For example, a ten character password with numbers, upper and lower case letters, and symbols would take five years to crack in 2020, but only three years in 2022. The same password description, but containing only eight characters, took eight hours to crack in 2020, but only five hours in 2022 (read the full report from Hive Systems).

The good news is that an eleven character password containing upper and lower case letters, numbers, and special characters still took 34 years to crack. Therefore, to crack it in one year, the attacker would need about 34 GPUs to share the load. To crack it in one month, the attacker would need hundreds of GPUs. Therefore, a password of eleven or twelve characters meeting the previously defined complexity requirements is still quite resistant in 2022. However, one should not get too comfortable. I’m about to go on a rant, so if you came for the above information only, you may want to run away, but I encourage you to consider my rant.

We often hear, in the security industry, that smaller companies are not likely to be targeted with significant computing resources (meaning the attacker has significant computing resources) because the payoff is not high for the attacker. However, an attacker may need to acquire those significant computing resources to attack another larger target. For example, if the attacker can get thousands or millions of computers to run a script identifying whether GPU resources are available and, if so, gaining control of said computers, the attacker can build a botnet (a group of controlled computer systems) that can be used for any desired compute-intensive task. Once acquiring control of these thousands or hundreds of thousands of computers, the attacker can use them for nefarious purposes. Additionally, the attacker may intentionally utilize some limited amount of resources and take no other damaging actions on the controlled computers to reduce the likelihood of detection of remote control.

Because smaller companies feel less threatened, they often implement weaker (or no) security controls than larger organizations. Therefore, they become a tempting target for attackers desiring to build a botnet. Why build such a botnet?

  • For personal pleasure (owning the victims)
  • For personal attacks (launching attacks against targets for political purpose, financial purposes, or simply the thrill of it)
  • To sell to others (such as large crime organizations)

While all of this may sound more like a movie plot than real life, a quick search of EMOTET on the Internet reveals that it is real. EMOTET had millions of controlled machines in its botnet. The net was used for malicious purposes and access sold to criminal organizations. Multiple countries joined forces and took it down in 2021 (so they thought). However, it re-emerged within a few months and, like many other malware-based systems, is likely to continue resurfacing in newly evolved forms.

Therefore, security is important for small organizations and large organizations alike. Neither can ignore the threats. But what does all of this mean for passwords? Today, it means that, when you use passwords, they should be complex and contain eleven or more characters. It also means that when you have valuable and sensitive information such information should be behind authentication systems using something other than passwords or in addition to passwords (multi-factor) like access cards (smart cards), biometrics, or two-factor authentication.

This is the reality of weak passwords.