Specops Software has announced the release of its annual
Weak Password Report which
analyzed over 800 million breached passwords, and proves passwords are
still the weakest link in an organization's network.
The study found 88% of passwords used in successful attacks consisted of
12 characters or less, with the most common being 8 characters (24%).
The most common base terms used in passwords were: ‘password',
‘admin', ‘welcome' and ‘p@ssw0rd'. Passwords containing only lowercase
letters were the most common character combination found, making up
18.82% of passwords used in attacks.
Ironically, the study revealed that 83% of compromised passwords did
satisfy both length and complexity requirements of cybersecurity
compliance standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA
and Cyber Essentials for NCSC.
"This shows that while organizations are making concerted efforts to
follow password best practices and industry standards, more needs to be
done to ensure passwords are strong and unique," said Darren James,
product manager at Specops Software. "With the sophistication of modern
password attacks, additional security measures are always required to
protect access to sensitive data."
Furthermore, brute force attacks are a common tactic used by
cybercriminals to gain access into an organization's network to steal
sensitive data. Threat actors will use common, probable, and even
breached passwords to systematically run them against a user's email to
gain access to a given account. For example, the Specops researchers
also noticed the inclusion of ‘homelesspa' - a password term found in
2016 MySpace data leak, proving that ‘old', breached password terms are
still being leveraged by hackers many years later. This is a critical
reason why organizations need strong password policy enforcement.
The research was largely compiled through analysis of 800 million
breached passwords, a subset of the 3 billion unique passwords in Specops Breached Password Protection.
Real-world example: Nvidia
In Nvidia's
data breach in 2022, where thousands of employee passwords were leaked,
many employees had used passwords such as ‘Nvidia', ‘qwerty' and
‘nvidia3d'. Having passwords related to the organization is an easy
route for hackers into the network. Despite industry warnings against
easily guessable passwords, users are still resorting to common
passwords.
"The 2023 edition of the Weak Password Report reiterates the ongoing
challenges of securing the weakest link in the enterprise IT
environment," said James. "To stay on top of today's credential attacks,
all companies should put strong password policy enforcement in place,
including custom dictionaries related to the organization."
Password Protection Best Practices
Even with end-user training, password reuse and other risky practices
are all too common. To protect corporate data, James and Specops
recommend three key enforcement measures:
-
For most business, this starts with protecting Active Directory, the
universal authentication solution for Windows domain networks.
-
Default password policy settings in Active Directory do not go far
enough. Third-party password security software can strengthen Active
Directory accounts.
-
Look for a solution that can block the use of compromised passwords and commonly used terms with custom dictionaries.
For more information about the research, check out the full data and analysis here.