Specops finds password complexity rules are not enough

Specops report reveals that passwords are easy to attack because people often use vulnerable passwords that are easily guessed or already compromised

New data released by Specops Software, a provider of password management and authentication solutions, shows that setting strong passwords might not be enough in an increasingly volatile cybersecurity landscape.

In the Weak Password Report, Specops analysed 800 million breached passwords, a subset of the more than 2 billion breached passwords in Specops Breached Password Protection, in order to identify current password security trends.

Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organisation’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.

Complex passwords are not enough 

According to IBM, stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks over the last two years on SolarWinds, Colonial Pipeline, and others made possible by hackers stealing a single password.

It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more. Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.

The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.

Sharing passwords is a threat to security 

Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work.

The report found that 65% of the respondents reported sharing passwords at work and the majority of these people say the method they use to share passwords is to “just remember them.” These shared passwords are likely to be weak or reused across multiple business systems since it is difficult for people to remember long and complex passwords.

Nearly half of the people surveyed (48%) have 11 or more passwords they have to remember for work. For personal use, the numbers were even higher with 71% of respondents reporting using 11 or more passwords. Using so many passwords in both personal and professional settings leads to poor password practices such as password reuse. 

“Passwords are still the key to protecting our most private information, from email accounts to online banking, but these findings indicate that simply following password best practices is not enough to guard accounts,” said Darren James, Head of Internal IT, Specops Software. “With some of the most high-profile cybersecurity incidents of the last two years involving passwords, it’s imperative that organisations implement password policies to block weak or breached passwords and utilise additional authentication methods to ensure the security of sensitive business data and accounts.”


Featured Articles

UK police cyberattack a reminder of third party risk

Cyber criminals use back-door suppliers cyberattack to spread alarm through Britain's biggest police force

Building Cyber Resilience into ‘OT in Manufacturing’ webinar

Join Acronis' webinar, Building Cyber Resilience into ‘OT in Manufacturing’, 21st September 2023

Trustwave report on hospitality industry security threats

Nearly 31% of hospitality organisations have reported a data breach in their company’s history, according to a Trustwave cybersecurity report

Barracuda Managed XDR uses AI to uncover cyber incidents

Technology & AI

Imperva: 32% of work data breaches could have been avoided

Operational Security

Supply chain cyberattacks seen as catastrophic for business

Cyber Security