Extending passwords best defence against password-cracking tools, report says

Out-Law News | 18 Aug 2014 | 5:03 pm | 2 min. read

Longer passwords are harder to decode than those which are shorter but more complex in nature, according to a new study.

Information security company Trustwave said powerful computers can decipher shorter passwords more easily than longer passwords even if the shorter passwords contain a more complicated mix of letters, numbers and other characters.

A technology expert has said that the news has implications for companies' password policies and for the risks involved in storing encrypted versions of the passwords.

"Many general users and some IT administrators incorrectly assume that using various uppercase letters, lowercase letters, numbers and special characters in a password will make it more secure," Trustwave said. "The practice would likely make it harder for a human to guess your individual password, but it does not make recovering the password any more resource-intensive for password-cracking tools. Only increasing the number of characters in the password dramatically affects the time it will take an automated tool to recover the password."

Trustwave explained the findings as it outlined the result of a study it conducted into password security. The company built two machines to decipher 626,718 'hashed' passwords and said it managed to work out more than half of those encrypted passwords within a few minutes. It "eventually cracked 576,533 or almost 92% of the sample within a period of 31 days", it said.

Hashing is a technique that enables passwords to be kept secret. The original values that make up a password are replaced by a so-called hashed value that shields the underlying values in the password. The hashed value is the one which is stored and used as a reference against the actual password when it is next re-entered. 

Earlier this year the UK's data protection watchdog, the Information Commissioner's Office (ICO), issued IT security guidance that advised businesses to ensure that passwords are subject to 'hashing' and another encryption method known as 'salting' so as to better protect privacy.

Under the Data Protection Act, organisations must take "appropriate technical and organisational measures ... against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data". The ICO has the power to issue fines of up to £500,000 against businesses that are responsible for a serious breach of that requirement.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said that businesses that change their policies and practices to reflect studies such as the one conducted by Trustwave are more likely to be able to demonstrate compliance with their data protection obligations.

"It may not be obvious to all that Data Protection laws do not require organisations to provide absolute guarantees against personal data breaches," Scanlon said. "In practice, whether organisations can be said to have complied with their security obligations will depend on whether they can document measures that have been put in place to prevent unauthorised access to data, such as from successful cyber attacks, that the measures they put in place were appropriate particularly in light of industry knowledge and practice and whether steps have been taken to ensure that the data, even if stolen, was encrypted both while in transit and when at rest."

"Organisations that are able to demonstrate that they took pro-active steps to improve password security stand a better chance of avoiding fines from regulators if the worst happens and they experience a data breach that has a significant impact on their business or serious consequences for their customers," he said.