Specops finds password complexity rules are not enough

Specops report reveals that passwords are easy to attack because people often use vulnerable passwords that are easily guessed or already compromised

New data released by Specops Software, a provider of password management and authentication solutions, shows that setting strong passwords might not be enough in an increasingly volatile cybersecurity landscape.

In the Weak Password Report, Specops analysed 800 million breached passwords, a subset of the more than 2 billion breached passwords in Specops Breached Password Protection, in order to identify current password security trends.

Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organisation’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.

Complex passwords are not enough 

According to IBM, stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks over the last two years on SolarWinds, Colonial Pipeline, and others made possible by hackers stealing a single password.

It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more. Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.

The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.

Sharing passwords is a threat to security 

Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work.

The report found that 65% of the respondents reported sharing passwords at work and the majority of these people say the method they use to share passwords is to “just remember them.” These shared passwords are likely to be weak or reused across multiple business systems since it is difficult for people to remember long and complex passwords.

Nearly half of the people surveyed (48%) have 11 or more passwords they have to remember for work. For personal use, the numbers were even higher with 71% of respondents reporting using 11 or more passwords. Using so many passwords in both personal and professional settings leads to poor password practices such as password reuse. 

“Passwords are still the key to protecting our most private information, from email accounts to online banking, but these findings indicate that simply following password best practices is not enough to guard accounts,” said Darren James, Head of Internal IT, Specops Software. “With some of the most high-profile cybersecurity incidents of the last two years involving passwords, it’s imperative that organisations implement password policies to block weak or breached passwords and utilise additional authentication methods to ensure the security of sensitive business data and accounts.”


Featured Articles

Tech & AI LIVE: Key Events that are Vital for Cybersecurity

Connecting the world’s technology and AI leaders, Tech & AI LIVE returns in 2024, find out more on what’s to come in 2024

MWC Barcelona 2024: The Future is Connectivity

Discover the latest in global technology and connectivity at MWC Barcelona 2024, where industry giants converge to discuss 5G, AI and more industry trends

AI-Based Phishing Scams Are On The Rise This Valentine’s Day

Research from Egress Threat Intelligence, Avast, Cequence Security & KnowBe4 outlines how AI is being used in dating app phishing scams on Valentine’s Day

Speaker Lineup Announced for Tech Show London 2024

Technology & AI

Darktrace predicts AI deepfakes and cloud vulnerabilities

Cloud Security

Secure 2024: AI’s impact on cybersecurity with Integrity360

Technology & AI