For years, expiring passwords have been the bane of a user's life and now research has been published showing the whole process was a waste of time.
The team of researchers from the University of Carolina set themselves the task of hacking passwords based on past users at their faculty. The results have shown the ease with which a username/password combination can be broken many in less than three seconds.
The authentication was based on a fixed user name, or "only name you'll ever need" (ONYEN) system, with a password which had to be changed within a given time. Using the freely available John The Ripper dictionary attack with just under 50,000 words gave some alarming results.
After successfully acquiring at least one password to 7,936 accounts by brute force, the team went on to find all the passwords for 54 per cent of the accounts and discovered at least half in 90 per cent.
The reason it had such a high success rate was users worked to simple rules when changing a password. The common use of adding a number to the base password and incrementing or decrementing the value either in steps of one or in jumps makes life easy for the hacker.
Other research has shown around 50 per cent of users favoured this approach.
The team used other but equally simplistic methods and reached a shocking conclusion.
"Even the most expensive password cracking effort required an average of only under three seconds per password that it broke," the team said. "In combination with the success rate for this conguration, we reach a fairly alarming conclusion: On average, roughly 41 per cent of passwords can be broken from an old password in under three seconds."
The team said they believed expanding the research to incorporate slightly more complex algorithms would see the success rates jump signicantly.
In conclusion to the tests, the report said: "Combined with the annoyance that expiration causes users, our evidence suggests it may be appropriate to do away with password expiration altogether, perhaps as a concession while requiring users to invest the effort to select a signicantly stronger password than they would otherwise choose."
By this, they meant that a much longer passphrase using mixed alphanumeric characters and punctuation symbols would be required to make the job harder, but not impossible, for the hacker.
-
Dell PowerRack launches at Dell Technologies World 2026 as a ‘turnkey’ networking, storage, and compute system for AIThe newly announced solution is designed to help organizations get up and running at super speed
-
Dell unveils Deskside Agentic AI at Dell Technologies World 2026News Deskside Agentic AI is the latest in the Dell AI Factory with Nvidia stable, with the company saying it further demonstrates its end-to-end enterprise AI capability
-
The NCSC says it’s time to switch to passkeysNews UK security organization calls for companies to step up and offer more secure ways to login
-
AI agents are creating new identity security risks: 1Password wants to solve thatNews The Unified Access system from 1Password will help enterprises manage AI agent access across different devices and users
-
Using AI to generate passwords is a terrible idea, experts warnNews Researchers have warned the use of AI-generated passwords puts users and businesses at risk
-
Researchers called on LastPass, Dashlane, and Bitwarden to up defenses after severe flaws put 60 million users at risk – here’s how each company respondedNews Analysts at ETH Zurich called for cryptographic standard improvements after a host of password managers were found lacking
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
Gen Z has a cyber hygiene problemNews A new survey shows Gen Z is far less concerned about cybersecurity than older generations
-
Passwords are a problem: why device-bound passkeys can be the future of secure authenticationIndustry insights AI-driven cyberthreats demand a passwordless future…
-
LastPass just launched a tool to help security teams keep tabs on shadow IT risksNews Companies need to know what apps their employees are using, so LastPass made a browser extension to help
