Password Management (Lack of)

This week i have been to IT Expo in Manchester, which is a IT security/cloud/devops conference for IT pros.  The event was over two days and was extremely useful for me, it had a number of workshops and speakers talking about a number of subject, ranging from data analytic projects defining if a couple would stay together or get divorced, to how wireless kettles can be taken over and used for mining, all in all a very informative and entertaining event.

During a few events however a common theme started come to my attention, one that i really hadn’t given much though to really, and that was the use of weak passwords by users, by default within Active Directory/Group Policy the default password length is set to 7 characters, this does give you the option of to configure a few things but not much really, just what passwords historically your not able to reuse, how long you can keep the password for, and then the length, the final option you have is the complexity of your password, now this cant and by default

is set to containing three of the following four categories, uppercase, lowercase, number, special character.  Now although this is indeed something a password as simple as Password1 would be sufficient to pass this requirement without any real issue, another “complex” password a user could have is Winter2017 and then when the change it Spring2017 etc etc, now im sure you can all see where i am going with this and are already well ahead of me.

So back to my conference, after lunch on Wednesday i attended a talk with an white hat hacker (good guy) whos talk was basically about how he went about his job penetration testing, as part of this talk he detailed how he would hack passwords for fun and some of the greatest and easiest he had come across.  Listed below are the top 20 worst and easiest passwords to crack, and also next to that is the time a typical hacker would take to crack passwords by length.  As you can see the longer your password the better with 10 characters seeming to be the magic number, this has certainly been something that has shocked me into looking at an alternative for password complexity for users, moving away from using Microsoft’s default group policy.