Fixing weak passwords

Access & Identity Management Handbook 2011 Cyber Security

Passwords have been with us for ages, administrators and users need to rethink password security policies if they are to be truly effective.

Passwords have been present in information technology since the earliest days, but it is only in the last five years that computers have become powerful enough to crack common passwords in a sensible timeframe.

Websites such as show how easy it is to crack a WiFi password, and vendors such as Elcomsoft have released ‘password recovery’ applications that tap into the power of PC graphics cards to accelerate the ‘recovery’ (in reality, cracking) process.

Today, eight-character passwords can be cracked by consumer password recovery software in under an hour, and more experienced hackers armed with rainbow tables and other free tools can crack 14-character passwords – including alpha-numeric passwords with special characters – in less than three minutes. This makes it imperative for technology users to adopt longer, stronger passwords.

In fact, adding numeric characters to a password – creating a passphrase – can significantly increase the time needed by even the best cracking software, running on the latest six-processor equipped machine, to the point where brute force hacking of passphrases becomes impractical.

That is not to say that hackers and their technology will not advance in the near future – perhaps through fractal calculation techniques – to negate even this level of protection. So what can be done in your organisation to encourage staff not to use weak passwords?

The answer is to encourage the use of stronger passphrases and mandate that users update their passphrases on a regular basis. These updates can provide some measure of protection should a passphrase ever be compromised – say, in a hotel, a railway station, or even in the office. It is also advisable to configure rules to prevent users from cycling through old, previously used passphrases.

Many organisations set passphrases to expire within 60 days or less, and require both a minimum length, minimum age, and the use of special characters. These practices should be followed even in organisations where two-factor authentication (such as hardware tokens) are in place.

Less obvious rules

Within the IT department – and for Windows users – administrators should set the group policy to disable LANMan hashes. LANMan hashes are notoriously easy to extract and crack using brute force methods or freely available rainbow tables that provide a pre-computed list of hashes. The policy is located under \computer configuration\windows settings\security settings\local policies\security options\network security, and is configured by changing the setting to ‘do not store LAN manager has value on network password change = ENABLED.’

It is also advisable to set a minimum passphrase length of 15 characters, as this is the critical length where, regardless of other policies, LANMan hashes cannot exist in Windows systems.

Administrators should also set all in-built admin accounts (eg, administrator, root, sa, sys and so on) to have frequently updated passphrases that are different amongst all accounts. This particular recommendation purposefully breaks the peer-to-peer model of the Windows network and ensures that a breach of one system’s administrator account does not affect others.

It is especially critical to ensure that no two administrator accounts ever have the same passphrase. Otherwise, should one of these superuser accounts be compromised, other accounts and applications will be breached.

Also keep in mind that there are scenarios – such as restarting the computer in safe-mode – when disabled administrator accounts can be re-activated without user intervention. Therefore it is essential to continuously audit all superuser accounts in such a way that unusual activity is quickly discovered and the appropriate actions taken.

Fortunately there are software solutions available to help you continuously secure and audit the superuser credentials required for administrator logins, application-to-application transactions and highly privileged computer services.

User guidance

Do not include easily-guessed information in your passwords such as birthdays, family and pet names, or words for things in front of the computer system. Also, do not start with easily guessed words or common words such as ‘password’ and simply replace characters such as 'a' with an '@' or 'o' with a zero. Hackers know this strategy and their software knows it too.

Do not use the same passphrase for multiple logins – and in particular do not mix personal passphrases with business ones. Keep everything separate so that even if one account is compromised, the rest are secure.

Never give anyone – including IT staff – your password. If an administrator truly needs your passphrase, change it before disclosing it, then change it back when they no longer need access and ensure you are present when they are using your account.

Do not click links in e-mails from unknown senders, no matter how attractive or urgent they seem. And if your browser starts displaying pop-ups with unusual frequency or appearance – no matter where you are browsing – close your browser and scan your system for malware and adware. And then there are the not-so-obvious points...

Even when logging onto websites, use passphrases that are 15 characters long whenever allowed. This can help safeguard your account on sites whose administrators may not be protecting stored passphrases by disabling vulnerable hashing algorithms.

If you do online banking, be sure to logout after each session. This invalidates the login session stored on your system. Then close all browser windows before leaving your machine. If you are using a tabbed browser, simply closing the single tab is not enough. You must close all browser tabs and windows to clear the cached data from further use.

Do not allow browsers to store your passphrases for you, as not all browsers store your logins in a secure fashion.

Lastly, users should never configure a computer to automatically log them on. If your system is configured for auto-logon, Windows may actually store your passphrase in clear text within the registry of the system in one or more well-known locations. This mistake can give even the most amateurish of hackers both access to your system and knowledge of your passphrase – a potentially dangerous combination.


Effective passphrase security is often said to be a 'state of mind', and we have heard words such as 'holistic' used to describe the process.

In truth, all that is needed to create a more secure environment is the right set of automated building blocks – security policies – that are enforced by automated systems, audited and reviewed to account for current and future security threats.

To achieve real security it is also essential to collaborate with end users with no less zeal than hackers collaborate amongst themselves to develop the tools to put your organisation at risk. Remember to automate as many processes as you can to secure and audit your organisation’s passphrases. This decreases the likelihood of any weaknesses being overlooked, and increases the odds of your being alerted to any unusual activity.

Hackers think creatively when it comes to compromising your network, so developing a comprehensive strategy using tested building blocks is the right way to help defend your digital assets.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Exploiting the global pandemic
Issue 7 2020 , Cyber Security
Cyber criminals targeting remote work to gain access to enterprise networks and critical data reports FortiGuard Labs.

Integrated security is key to Huawei Mobile Services
Issue 7 2020 , Cyber Security
To ensure sufficient mobile device security, the technology giant incorporates security into its chip, device and cloud capabilities.

Cybersecurity becomes key enabler of sustainable business growth
Issue 7 2020 , Cyber Security
The adoption of rushed digital transformation strategies has left many facing unintended complexities and challenges.

Challenges healthcare is facing
Issue 6 2020 , Cyber Security
The healthcare industry has been forever changed by digital transformation, but cybercriminals are targeting the healthcare sector now more than ever.

Secure IoT devices and networks
Issue 6 2020, Technews Publishing , Cyber Security
Check Point Software’s IoT Protect solution secures IoT devices and networks against the most advanced cyber-attacks.

SentinelOne Protects the AA
Issue 6 2020 , Cyber Security
National provider of 24-hour motorist assistance stays on the road thanks to accelerated, AI-powered threat prevention, detection and response.

Protecting database information
Issue 6 2020 , Cyber Security
SearchInform has officially released Database Monitor, a solution for the protection of information stored in databases.

Work from home securely
Issue 5 2020 , Cyber Security
First Consulting provides enterprise-level IT security to working-from-home employees at more than 40 South African organisations.

Agility, meticulous alignment and testing
Issue 5 2020 , Cyber Security
Data loss can put the nails in the coffin for unprepared businesses. Investing in cyber resilience is key to succeed in the age of digital transformation.

Cybersecurity comment: A holistic approach to threat vulnerability
Issue 5 2020 , Cyber Security
Any organisation, whether large or small, public or private, should follow an established framework in order to protect itself against cyber threats.