Organisations’ current password usage and policies leaving businesses and employees vulnerable to cyberattacks
Password-related attacks are on the rise. Stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks over the last two years. New data released today by Specops Software—the leading provider of password management and authentication solutions – shows that setting strong passwords might not be enough in an increasingly volatile cybersecurity landscape.
In its first annual Weak Password Report, Specops analysed 800 million breached passwords, a subset of the more than 2 billion breached passwords in Specops Breached Password Protection, in order to identify current password security trends. Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organisation’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.
Findings show that the issue is not as simple as users resorting to easy-to-remember logins like “password12345.” In fact, even passwords following typical guidelines on length and special characters remain vulnerable to attacks.
Key findings include:
- 93% of the passwords used in brute force attacks include 8 or more characters
- 41% of passwords used in real attacks are 12 characters or longer
- 68% of passwords used in real attacks include at least two character types
- 48% of organisations do not have user verification in place for calls to the IT service desks
- 54% of organisations do not have a tool to manage work passwords
“Passwords are still the key to protecting our most private information, from email accounts to online banking, but these findings indicate that simply following password best practices is not enough to guard accounts,” said Darren James, Head of Internal IT, Specops Software. “With some of the most high-profile cybersecurity incidents of the last two years involving passwords, it’s imperative that organisations implement password policies to block weak or breached passwords and utilize additional authentication methods to ensure the security of sensitive business data and accounts.”
Holistic password hygiene needs to be better prioritised from the leadership level to individuals working at home. It’s critical for businesses to take action by blocking weak and compromised passwords, enforcing password length requirements, implementing user verification at the service desk, and auditing the enterprise environment to highlight password-related vulnerabilities.