Analysis of breached passwords shows almost all are weak
New research from Specops has analyzed 10 million random passwords from the billion+ breached password list used by Specops Password Auditor and finds that a startling 98.5 percent are weak.
The research defines a ‘strong’ password as having at least 15 characters in length and at least two different character classes. A long password of 15 identical-class characters (for example all lowercase) is easier to crack than one that mixes in digits or symbols.
Weak passwords are the low-hanging fruit that automated cracking tools exploit first. Once an attacker gains one set of valid credentials, they can roam through the network, escalate privileges, and exfiltrate sensitive data -- all without tripping more sophisticated perimeter defenses.
Darren James, senior product manager, says, “Despite years of training, many users still
choose weak, easily guessed combinations that cybercriminals can crack in seconds. To bring this risk into sharp relief, our research team analyzed 10 million real-world passwords and plotted them on a heatmap measuring strength by both length and complexity. This visual ‘strength landscape’ show how organizations need to adjust their password policies to move end users’ Active Directory passwords away from the zone of risk into the zone of security.”
Even if the criteria is lowered down to an ‘okay’ password that’s over 12 characters in length with at least two different characters, then just 16 percent of the analyzed passwords would meet that criteria.
Only 3.3 percent of passwords analyzed for the research had over 15 characters, 57 percent nine-14 characters, and 39.7 percent eight characters or fewer. 19.6 percent were found to have only one character type, 36.9 percent had two, 21.8 percent three and 21.7 percent four.
Enforcing longer passwords in Active Directory is the easiest way to increase their strength. That makes them harder to remember of course so the report’s authors recommend using passphrases combining words rather than random strings of digits and symbols.
You can get the full report and check the strength of your own Active Directory passwords on the Specops site.
Image credit: Designer491/Dreamstime.com