How Popular Password Checking Tools Are Misleading Millions

bad actor trying to hack a system
Image Credit: VOI

In this day and age, where threat actors are always on the lookout to gain unauthorized access to our accounts, using a strong password and 2FA becomes more important than ever. However, despite the prevalent use of third-party checking tools like security.org to assess password strength, a recent report from cybersecurity firm Project Black suggests these tools might be highly inaccurate.

To check the accuracy, researcher Eddie Zhang took the password ‘Ministry2023!’ and ran it across five major checking tools. Once checked, the initial results were impressive, with Delinea and others labeling it as strong, estimating it would take around 11 million years to crack. And for a regular everyday user, this statement would have been enough to make them believe in the strength of their passwords since computers permute through every sequence of the number of words to find the exact combination.

Delinea's result after checking the password

Threat actors study human behaviors

Although these tools are somewhat accurate, in recent years, threat actors have started to study human behavior to crack passwords. This is because we tend to favor predictable patterns when crafting passwords. For example, when a website asks us to use capital and special letters in our passwords, most of us just capitalize the first word or add numbers and special characters in a non-random manner.

Armed with this knowledge, researchers were able to crack the password in just 8 seconds using a single $650 graphics card (RTX 3070) in the Windows hash format (NTLM).

Different types of attacks

In the cybersecurity world, there are two main types of attacks, i.e., online and offline. Online attacks occur when a threat actor visits a website such as Instagram and tries to crack your password. However, such attacks are often unsuccessful since most websites have a limit on how many times someone can enter a password.

On the other hand, offline attacks are much more dangerous since they occur when a hacker has obtained your password hash from a data breach. To put things into context, password hashing is a way for companies to store your passwords by converting them into a series of random characters. And although this process makes compromised passwords unintelligible, threat actors armed with behavioral patterns can decipher them with millions of attempts.

How to stay protected?

Given the risks of a password breach, users should go beyond regular techniques when setting up passwords. Enabling Multi-Factor Authentication (MFA) where available, avoiding password reuse, and utilizing password managers like 1Password are essential steps.

Similar Posts