Case Studies

How a Leading European Bank Strengthened Cybersecurity by Transforming Password Practices

Cyber SecurityBanking & Finance
24 June 2024 - 6 minutes read

In a decisive move to increase their cybersecurity defenses, a leading European bank seeked our help to enhance their password security. As cyber threats continue to grow in sophistication, financial institutions managing vast amounts of sensitive data face unprecedented challenges. Recognizing the critical importance of cybersecurity, the bank conducted a comprehensive password-cracking exercise aimed at identifying vulnerabilities and refining their password policies. This initiative uncovered significant insights into their current security practices and set a new standard for safeguarding sensitive information.

Context & Challenges

Our client handles extensive client data which makes them a prime target for cybercriminals.

Facing sophisticated cyber threats, they wanted to assess the strength of their passwords against advanced cracking methods. Password security is the first line of defense in protecting sensitive data, and any weakness here can lead to significant breaches.

To thoroughly evaluate their situation, the bank provided NTLM hashes for all accounts within their domain. This step was vital in understanding the strengths and weaknesses of their existing password policies. By simulating real-world cracking attempts in a controlled environment, they gained a clear picture of their password security. They wanted actionable insights into their vulnerabilities by analyzing how many passwords could be cracked within a specified timeframe.

The challenge was twofold: identifying immediate vulnerabilities in password security and using the assessment to refine and strengthen password policies. The ultimate aim was to ensure employees followed best practices in password creation, enhancing overall security. Understanding the patterns and commonalities in the cracked passwords would help create a more robust and secure password policy.

Our Approach

Leased High-Performance GPU Server

To carry out a thorough password-cracking exercise, we leased a powerful GPU-based server for a week. The server’s capabilities allowed us to process large volumes of data and run complex algorithms efficiently, speeding up our password-cracking efforts.

Utilizing Hashcat for Optimal Results

We used Hashcat, a renowned and versatile password-cracking tool, for our analysis. Hashcat is known for its robustness and ability to handle various hash types, including NTLM hashes provided by our client. Its extensive features, including support for different attack modes and rule-based transformations, made it ideal for this task. Our team’s expertise in configuring and optimizing Hashcat ensured we maximized its potential, effectively uncovering weak passwords.

Methodical and Strategic Password Cracking

Our approach was methodical and strategic, incorporating multiple techniques to crack as many passwords as possible within the given timeframe. We used a combination of:

  • Common Password Lists: We began with widely used password lists, including those from known data breaches, to quickly identify users with weak or predictable passwords.
  • Masks and Rules: We leveraged Hashcat’s mask and rule features to generate password variations. Masks allowed us to specify patterns typical of password creation, like combinations of letters, numbers, and symbols. Rules enabled us to transform existing password candidates, creating additional variations to test against the NTLM hashes.
  • Brute Force Attacks: For more resistant hashes, we used brute force attacks, systematically testing all possible combinations within a specified length and character set. This method, though time-consuming, is exhaustive and ensures no potential password is overlooked.

Revealing the Vulnerabilities

Analysis of Results

Over the week, our efforts yielded significant findings. We successfully cracked about 30% of the provided password set, revealing vulnerabilities in the existing password practices. The cracked passwords showed common patterns, such as easily guessable words, simple numerical sequences, and dates.

Identification of Common Vulnerabilities

The cracked passwords highlighted several prevalent security issues:

  • Predictable Patterns: Many passwords included common words, names, or keyboard patterns that were easily guessable, making them highly susceptible to cracking.
  • Reused Passwords: Some users reused the same password across multiple accounts, increasing the risk of widespread access if one account was compromised.
  • Simple Numeric Sequences and Dates: A significant number of passwords incorporated straightforward numerical sequences or dates, like birthdays or anniversaries, making them easy targets for attackers.

Strengthening their Password Policy

Based on our findings, we provided comprehensive recommendations to enhance the bank’s password policy:

  • Implement Stricter Complexity Requirements: Require upper and lower case letters, numbers, and special characters to reduce predictability.
  • Ban Common Passwords: Enforce rules against using commonly breached passwords by integrating a banned password list into the policy.
  • Encourage Regular Updates: Regular password updates and expiration periods minimize risks associated with long-term use of the same password.
  • Educate Users: Provide ongoing education and training for employees on the importance of strong password practices and how to create secure passwords.
  • Set Minimum Password Length: Recommend a minimum password length of at least 12 characters to increase password strength and reduce the likelihood of successful brute-force attacks.

Key Benefits

Gain Insight into Password Vulnerabilities

Our comprehensive analysis provided invaluable insights into the security of the bank’s current password practices. Discovering that about 30% of passwords could be cracked within the specified timeframe highlighted the prevalence of weak and predictable passwords among employees. This insight triggered a reassessment of their password security strategies.

Better Password Policy

Armed with our findings, the bank developed and adopted a new, more secure password policy. The revised policy addresses the vulnerabilities identified during the password-cracking exercise, incorporating stricter complexity requirements and prohibitions against common password patterns. This step has significantly increased the bank’s defenses against password-cracking attempts.

Improved Threat Detection

The exercise highlighted common patterns and weaknesses in password creation, enabling the bank to enhance its threat detection capabilities. By understanding the types of passwords that were most vulnerable, the bank can now implement more targeted and effective security measures to detect and prevent potential breaches.

Increased Employee Awareness

One of the significant benefits of this exercise was the heightened awareness among employees regarding the importance of strong password practices. The analysis and subsequent policy changes were accompanied by educational initiatives, ensuring that employees understood the risks associated with weak passwords and the need for more secure password creation.

Strengthened Security Posture

Overall, the exercise has contributed to a strengthened security posture for the bank. By addressing the identified vulnerabilities and implementing a more robust password policy, the bank has significantly reduced its exposure to password-related security threats. This improvement not only enhances the protection of sensitive data but also bolsters the bank’s reputation for maintaining high-security standards.

Long-term Improvements

The benefits of the password-cracking exercise extend beyond immediate gains. The insights gained and the new policies implemented have laid the foundation for ongoing security improvements. The bank is now better equipped to continuously monitor and refine its password practices, ensuring long-term resilience against evolving cyber threats.

Ensure Compliance and Best Practices

The adoption of a more secure password policy also ensures better compliance with industry standards and regulations. By aligning their practices with recommended security guidelines, the bank can demonstrate their commitment to maintaining robust cybersecurity measures, which is crucial for regulatory compliance and building trust with clients and stakeholders.

Conclusion

Through this password-cracking exercise, our client has gained a comprehensive understanding of their password security landscape. The proactive measures taken in response to our findings not only address immediate vulnerabilities but also establish a framework for ongoing improvement. The bank’s enhanced password policy, increased employee awareness, and strengthened security posture collectively contribute to a more secure and resilient organization, ready to face the challenges of an ever-evolving digital threat landscape.

Ready to strengthen your security? Start implementing these measures today and protect your valuable data from cyber threats.

Share
Insights

Access related expert insights

View all insights
Expert Articles
Expert Articles
21 May 2026
For the past decade, fintechs scaled fast by renting capability - cloud infrastructure, engineering talent, and core systems. It worked. Until it didn’t. The regulatory environment of 2026 has fundamentally closed that window. With the Digital Operational Resilience Act (DORA) now in full force and the EU AI Act raising the bar on AI transparency, the "our vendor handles that" defense is no longer viable. Regulators don't accept it. Auditors don't accept it. And increasingly, your board shouldn't either.
Build-Operate-Transfer Model: Why Fintech’s Future Depends on Owning Your Tech
Build-Operate-Transfer Model: Why Fintech’s Future Depends on Owning Your Tech
Expert Articles
Expert Articles
21 May 2026
yberattacks often begin long before a suspicious login, ransomware note, or phishing email reaches the organization. The starting point may already be outside the company’s control: an employee email, password, session token, or device record circulating through breach dumps, criminal forums, Telegram channels, or infostealer logs...
Dark Web Monitoring: Are Your Employees’ Credentials Already Exposed?
Dark Web Monitoring: Are Your Employees’ Credentials Already Exposed?
Expert Articles
Expert Articles
18 May 2026
Most engineering leaders searching for offshore delivery options start with the same term: offshore development center. It is the right instinct. But the organizations that scale fastest, protect their IP most effectively, and reduce vendor dependency over time tend to take the model further. Understanding what is an offshore development center is the starting point. Understanding why the […]
What is an Offshore Development Center?
What is an Offshore Development Center?