Specops finds password complexity rules are not enough
New data released by Specops Software, a provider of password management and authentication solutions, shows that setting strong passwords might not be enough in an increasingly volatile cybersecurity landscape.
In the Weak Password Report, Specops analysed 800 million breached passwords, a subset of the more than 2 billion breached passwords in Specops Breached Password Protection, in order to identify current password security trends.
Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organisation’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.
Complex passwords are not enough
According to IBM, stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks over the last two years on SolarWinds, Colonial Pipeline, and others made possible by hackers stealing a single password.
It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more. Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.
The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.
Sharing passwords is a threat to security
Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work.
The report found that 65% of the respondents reported sharing passwords at work and the majority of these people say the method they use to share passwords is to “just remember them.” These shared passwords are likely to be weak or reused across multiple business systems since it is difficult for people to remember long and complex passwords.
Nearly half of the people surveyed (48%) have 11 or more passwords they have to remember for work. For personal use, the numbers were even higher with 71% of respondents reporting using 11 or more passwords. Using so many passwords in both personal and professional settings leads to poor password practices such as password reuse.
“Passwords are still the key to protecting our most private information, from email accounts to online banking, but these findings indicate that simply following password best practices is not enough to guard accounts,” said Darren James, Head of Internal IT, Specops Software. “With some of the most high-profile cybersecurity incidents of the last two years involving passwords, it’s imperative that organisations implement password policies to block weak or breached passwords and utilise additional authentication methods to ensure the security of sensitive business data and accounts.”
