Weak passwords are still allowing attackers into networks
A new study from Specops Software finds that 88 percent of passwords used in successful attacks consisted of 12 characters or less, with the most common being just eight characters (24 percent).
The research, largely compiled through analysis of 800 million breached passwords, finds the most common base terms used in passwords are depressingly familiar: 'password', 'admin', 'welcome' and 'p@ssw0rd'.
Passwords containing only lowercase letters are the most common character combination found, making up 18.82 percent of passwords used in attacks. However, the study also reveals that 83 percent of compromised passwords did satisfy both length and complexity requirements of cybersecurity compliance standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC.
"This shows that while organizations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique," says Darren James, product manager at Specops Software. "With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data."
Threat actors will use common, probable, and even breached passwords to systematically run them against a user's email to gain access to a given account in a brute force attack. In Nvidia's data breach in 2022, where thousands of employee passwords were leaked, many employees had used passwords such as 'Nvidia', 'qwerty' and 'nvidia3d', offering an easy route for hackers into the network.
"The 2023 edition of the Weak Password Report reiterates the ongoing challenges of securing the weakest link in the enterprise IT environment," adds James. "To stay on top of today's credential attacks, all companies should put strong password policy enforcement in place, including custom dictionaries related to the organization."
You can find out more on the Specops site.
Image credit: designer491 / Shutterstock