This is article is based on a presentation given by Tom Stewart, Senior Director of Protiviti’s Attack and Penetration team at IBA’s 2022 Analytics Conference on Cybersecurity.
In 2017, Tom Stewart, the now Senior Director of Protiviti’s Attack and Penetration team, wrote an article titled “The 8 Character Password is Dead.” In the article, Stewart and a colleague reported their finding that for under $5,000 in equipment, every password in a suite of Microsoft security protocols can be guessed or “brute forced” in just seven minutes.
Five years later, the eight-character password is still the standard for corporate America — and it has been since Stewart began working at Protiviti, a global consulting firm, in 2007. The difference? Stewart revisited the process with a cloud-computing system in summer 2022 and found that any eight-character password in the world could be guessed for a mere $62.59.
“Over the past 15 years, there’s been the same standard for passwords, even though I was using a dial-up modem to do hacking in 2007,” Stewart said. “Technology has changed, but the standard for which we hold ourselves to has not changed at all. There’s a shortcoming there.”