This guest blog was contributed by Christoph Nagy, SecurityBridge Username and Password logins have been used for decades and mark the foundation of IT security in addition to its greatest weakness. The hacking risk has been decreased by constant innovation such as one way hashing algorithms, salted hashes, multi-factor and key files. Now, 3-5 year password vault applications are the recommended way to store personal and enterprise passwords.
Microsoft CEO, Satya Nadella, emphasizes that security is the company's top priority. This comes after a group known as Storm-0558 compromised the Azure platform in 2023 by stealing a critical key. This breach granted them authentic access to Azure, SharePoint, and Outlook Email services, affecting several federal government agencies. In addition to Storm-0558, state-supported criminals from Russia were able to gain access to Microsoft's IT security department from Midnight Blizzard. This was due to a lack of multifactor authentication and a default password. While Microsoft has one of the highest regarded security tools, the Storm-0558 and Midnight Blizzard incidents show how vulnerable the company was and how easily such a breach based on default passwords can turn into reputation damage.
Security measures that protect passwords need to be continuously rethought and renewed because two-factor authentication is now easily hacked. Recent security research studies have shown that passwords with the length of 8 characters and containing numbers only, can instantly be cracked using modern GPU’s to perform hashing, such as NVIDIA A100, also used by ChatGPT. Here’s how: The system tries to find the hash equivalent text, basically the text that produced the hash, just by trying all types of random texts or using a dictionary with popular passwords. For better reference, the test also revealed the following durations using the A100 chip:
Length 8, only numbers | password instantly available.Length 8, lower case letters | password available after 3 min.Length 8, lower and uppercase letters | password available after 11 hours.Length 8, lower and uppercase letters, numbers, symbols | password available after 5 days.
Although many organizations still require their employees to use an 8-character password, adding a 9th symbol to passwords increases the brute force hacking time to months or even years. Unfortunately, this isn’t the final security solution, as the hardware hackers use to crack the passwords is constantly evolving in their favor. However, a new trend to prevent hacking is password-less sign-in e.g., no password needed. There are various implementations of password-less sign-in using hardware tokens or smartphone apps that are used to authenticate the user.
Christoph Nagy has 20 years of working experience within the SAP industry. He has utilized this knowledge as a founding member, and CEO at SecurityBridge–a global SAP security provider, serving many of the world's leading brands and now operating in the U.S. Through his efforts, the SecurityBridge Platform for SAP has become renowned as a strategic security solution for automated analysis of SAP security settings, and detection of cyber-attacks in real-time. Prior to SecurityBridge, Nagy applied his skills as a SAP technology consultant at Adidas and Audi.