Analysis of the worst passwords in 2018

The majority of penetration tests will invariably reveal passwords of some sort from the user base, especially where that penetration test is done on a Windows network. So, as with last year we continue our annual review of the state of passwords.

The current top 100 worst passwords from 2018, so you can perform you own analysis, can be downloaded here.

Analysis

Password length is important to the speed of cracking the password. Event in 2018, we still saw very poor password lengths being used. In our top 100 worst password lengths, the vast majority of the passwords are under 9 characters in length.

In total 54 of the passwords had one to six characters. 93 of the passwords in the list had eight or less characters. Only seven of passwords had more than eight characters. This is really bad practice.

But it gets worst. 75 of the passwords used only lowercase letters in the password.

What does this mean in cracking passwords terms?

Let us use a way to describe just how easy these passwords are to break. We went to PC World, a high street retailer in the UK and purchased a end of line ASUS gaming laptop. It cost £600 and has a pretty good spec. Most important to us, it has an Nvidia graphics card. We installed Kali Linux on it and used Hashcat to break the NetNTLMv2 hashes of all the passwords in the top100 list.

1.4 Seconds was the average time taken to break each password!

So what does this tell us?

Frankly, the awareness training being rolled out to many businesses, and the work by the NCSC to promote good password practices just isn’t working.