How to demo password hacking?

Aside from giving lectures on password security, discussing the various theories about how to create stronger passwords (and password policies), is there a standard way to demonstrate how easy it is for a particular password to be hacked over another? I’m making changes to our organization’s policies and I think it would be useful to demo the difference in ‘hackability’ between one password over another using a legitimate tool as opposed to just stating accepted practices or using ‘strength meters.’ Any thoughts on how to handle this? It’s both to show the general user and to get higher management on board with better security.

Looking for a little guidance on how best to do this. I know there are a variety of security tools out there but, without experience with using any particular one, pointers to what is most popular & useful would be helpful.

Our company used to employ a guy who was an ethical hacker who worked in this exact area. Unfortunately, he’s no longer employed by us, so I can’t contact him. But I did google ‘ethical hacker passwork crack demo’ or some such and got a page with some tools on it which might be something you could use to show how easy it is to crack weaker passwords. Maybe you could construct a demo using some accounts with different password strengths?

At any rate, the page is here:

Just be careful when you google that you get demo or ethical hacker programs as opposed to the kind of crap people look for to actually crack passwords.

Alternatively, get one of the leaked password lists and show management how many of their passwords are on it.

Great, thanks. I’ll check out the list. I figure it’ll be more impactful to show what can happen with weak policies/passwords than just talk about it, so that may help.

This Ars Technica article might help.

Funny, but I remember reading that article back then. Not much has changed for 2016?

Fairly rapid increases in GPU hardware have made parallel brute force attacks even easier than they were then. Security community consensus seems to be that no password is actually safe. Two, or even three, factor authentication is where it’s at.

I thought this new recommendation from the NIST was interesting:

Reinforces my gut instinct that password rotation strategies are pushing me to make my passwords worse, not better.

I think companies should give every employee a class on how to use a password manager. These days, it’s not uncommon to have over a hundred personal and business login accounts, so of course everyone is going to re-use the same password, and then it’s only a matter of time before that email/password combo is in a hacker database. Everyone should 1) use a password manager, 2) let the password manager create passwords for you, 3) use a unique password for every account, 4) sign up for two-factor authentication, when available, 5) never, ever click on a link in email, no matter who it appears to be from.

Would definitely be worthwhile for most workplaces. I use one outside of work, and plenty of 2FA when available. Workplace is another story. I share the knowledge where possible, but most people only have a couple passwords aside from Windows to remember at work. Knowing their password manager password would be just as much a struggle, unfortunately, and would be just as weak.

Do a live demo.

In a classified environment, not only do we need to change our password every 90 days, but the rules for your password are so convoluted that it has pretty much forced me to have a password scheme in order to have any chance of remembering my passwords. Adding to the complexity is the fact that different members of the Intelligence Community have different password standards (one of them allows you to use up to 4 of any single character class in a row [lowercase, uppercase, numeric, symbols] while a different agency only lets you use 3 in a row max).

In a hospital I worked lots of personnel had the password pattern of ‘September_2016’, as it gave to them unique passwords that didn’t repeat in comparison with the last months, easily remembered, uppercase and lowercase, numbers and symbols, a decentish length. Also it was easily guessable…

This statement would probably make people disregard the rest of your advice. It’s hilariously impractical.

Yep, it’s very impractical, but unfortunately necessary in any business organization these days. Phishing attacks are extremely common. There are other ways to share a link besides email, thankfully.

Do you think it’s impractical? In the classified environment in which I work, clicking on bad links was so prevalent that they modified outlook to disable auto linking of text. So now when you receive our URL in an email you have to copy and paste it into your browser window.

I wouldn’t be shocked if people still clicked on random phishing links regardless.

Cut and Paste is the way to go with links.

Alternatively Microsoft could easily have modified Outlook since way back in 1997 to show the actual-URL And not the “HTML” version of it.

We should have never moved away from plain-text emails, or at least started using crypto-signed ones…

That won’t stop most people. looks legitimate to most normal computer users.

Maybe, but it at least looks more fishy than for some of the users that would have clicked on it when it was

Hmm: Error 500 on that post?

I don’t have a useful opinion. But since theres already a lot of useful ones, I will consider that my cue to post:

Passwords are a responsability, they are key to accounts and private information. People that is on a workplace have a legal responsability to mantain some information private.
When you are using a weak password you are not doing enough with your responsabilities. You facilitate that private information is leaked.
The dudes that put these rules try to put enough rules so these passwords are not easy to guest by brute force algorithms or social attacks.
If you use your boyfriend name has password, its trivial for somebody doing a social attack. If you use a trivial password or one password from a dictionary, like 123456. Is trivial for a brute force attack.

Generally the rules to build passwords try to make brute attacks hard. This can be done by making the number of possible combinations high. For 8 characters using the english alphabeth, and a machine that can try 2 million keys in 1 second, the password will be broken in 9 seconds. But if uppercase and lowercase are mixed, with numbers, then it will require 25 days to break.
All these silly rules exist to make sure people don’t use dumb passwords like hunter or carmen, and to force crackers to try passwords like A45Fcc$1ee.

Cars can be stolen withouth the keys, and the same is true for computers. Sometimes software is cracked without using passwords. And sometimes passwords are leaked, like if somebody use the password in a computer with a spyware that capture keystrokes. So passwords can’t be and must not be the final or only protection. Passwords are only a defense in depth. Private data need to be inside VPNs, not on the free internet trough a password. Data that is even more private need to be behind two passwords systems. Data that is even yet more private need 3 doors, or perhaps to not be in a computer. People will do dumb things. Passwords will be stolen. But no ship should be like the Titanic that only had one floating volume, so a single hole sinked it.

Sorry for not posting a informative post, but a opinion post. Please read all of the above instead of mine.

So forgive my ignorance, but why are systems designed to allow thousands or hundreds of thousands of failed attempts at a password within a short timeframe?