The short answer to this question is:

No!  7 Character passwords are not long enough.

The long answer to this question is:

We had our John Martin capture some NTLMV2 hashes (used by Active Directory) which he acquired over the air from a wireless network.  We then had Andrew Gilhooley do some cracking with our new password smasher.  Andrew calculates that the 7 character passwords that we captured have a key space of around 6.2 quadrillion possible combinations.  So what did we do?  The new password smasher has 4 x AMD GPU’s and cost us around £1,000, and we achieved a throughput of about 800 million attempts per second to smash the passwords.  To calculate all of the possible combinations of passwords from 1 to 7 characters took around 3 hours!  Yes three hours.  So with a modest investment we can crack your passwords that are 7 characters or less – if we capture them.

So what do we recommend for passwords:

Given today’s compute power, anything less than 14 characters is not really worth considering in our opinion. Even if you don’t have the GPU power, there’s always a good old fashioned Rainbow Table, to compare known passwords already hashed against what has been captured.  This is why passwords alone are no longer going to be enough to secure access.  Given the rate of increasing compute power, in another year 14 characters will not be enough!

NIST published a guidance document last year – SP800-118. It contains a considerable amount of information about password complexity, and can be found at: http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf

Additionally, it is recommended that any locations where you may expose passwords over networks or services where these can be captured you should either secure these links, ensure that they do not transition or if they need to then consider two/multi factor authentication.  Even if we capture the passwords with two factor authentication we do not have the token.  This makes any attack much more difficult.

Talk to our Assurance team today to find out how we can help you with password length, complexity and two factor authentication.  We can also help you find out if you are exposed to password capture within your environment.  Call us today…..

Written by:

Steve Marshall
Steve Marshall

Andrew Gilhooley
Andrew Gilhooley

John Martin