These 8 symbols break companies faster than viruses.
In a new analysis based on the study of 10 million real-life compromised passwords, Specops specialists have shown how vulnerable corporate networks remain to the human factor. All passwords were taken from a list of more than a billion leaks. The result was alarming: only 1.5% of all analyzed passwords could be classified as “strong”.
The criteria for this definition were strict: a strong password was considered to be at least 15 characters long and contained at least two different types of characters — for example, letters and numbers. This length was chosen for a reason — each additional character increases the number of possible combinations many times over. For example, a password of 15 lowercase letters has 1.7 quintillion options. Adding one character increases the number of combinations by almost 26 times, and when using all valid characters (letters, numbers, and special characters), the total number of options reaches 2.25 octillion. Even powerful GPU rigs will not be able to cope with such a task in the foreseeable future.
However, despite such prospects, users continue to choose short and simple combinations. The most common type of password is 8 characters with two types of characters (for example, letters and numbers), accounting for 7.9% of all passwords. It is followed by similarly long, but even less reliable - only one type of characters, their 7.6%. And passwords up to 8 characters long in general make up the vast majority and can be cracked in a matter of hours.
The analysis showed that only 3.3% of all passwords exceeded the 15-character mark. This suggests that the password creation policy in organizations is either not regulated or ignored. Meanwhile, increasing the length by even a few characters dramatically increases the resistance to attack - a four-character extension of a 12-character password increases the effort required to brute-force by 78 million times.
The study paid special attention to the trend towards insufficient complexity. More than half of all passwords analyzed included a maximum of two types of characters. And while modern recommendations (particularly from NIST) focus more on length, adding a third or fourth character type also significantly increases strength. However, length is still the main factor: 16-20 characters provide better protection than short, albeit complex passwords.
To increase security, it is recommended to switch from traditional passwords to meaningful phrases. Long but easy-to-remember phrases like “SunsetCoffeeMaroonReview” are much more reliable and convenient than character sets like “!x9#A7b!”. This approach reduces the number of typing errors, calls to technical support, and fatigue from constantly changing passwords.
The main threats associated with the use of weak passwords remain the same.
Ease of hacking: short combinations are easily susceptible to automated attacks, especially when using graphics accelerators and botnets.
Reuse: one compromised password often opens access to many systems.
non-compliance with regulations: weak passwords violate the requirements of such regulations as GDPR, HIPAA and PCI DSS. All this entails fines, audits and reputational losses.
At the same time, even a good hashing implementation does not save from the weakness of the password itself: if the database is stolen and the password is easily brute-forced, neither salt nor algorithms will help.
The findings of the study lead to a simple truth: weak passwords are still ubiquitous. Only a comprehensive policy that includes control over length, complexity, uniqueness and timely updates can protect corporate infrastructure from basic attacks. And, as statistics show, most companies still have a lot of work to do in this area.
In a new analysis based on the study of 10 million real-life compromised passwords, Specops specialists have shown how vulnerable corporate networks remain to the human factor. All passwords were taken from a list of more than a billion leaks. The result was alarming: only 1.5% of all analyzed passwords could be classified as “strong”.
The criteria for this definition were strict: a strong password was considered to be at least 15 characters long and contained at least two different types of characters — for example, letters and numbers. This length was chosen for a reason — each additional character increases the number of possible combinations many times over. For example, a password of 15 lowercase letters has 1.7 quintillion options. Adding one character increases the number of combinations by almost 26 times, and when using all valid characters (letters, numbers, and special characters), the total number of options reaches 2.25 octillion. Even powerful GPU rigs will not be able to cope with such a task in the foreseeable future.
However, despite such prospects, users continue to choose short and simple combinations. The most common type of password is 8 characters with two types of characters (for example, letters and numbers), accounting for 7.9% of all passwords. It is followed by similarly long, but even less reliable - only one type of characters, their 7.6%. And passwords up to 8 characters long in general make up the vast majority and can be cracked in a matter of hours.
The analysis showed that only 3.3% of all passwords exceeded the 15-character mark. This suggests that the password creation policy in organizations is either not regulated or ignored. Meanwhile, increasing the length by even a few characters dramatically increases the resistance to attack - a four-character extension of a 12-character password increases the effort required to brute-force by 78 million times.
The study paid special attention to the trend towards insufficient complexity. More than half of all passwords analyzed included a maximum of two types of characters. And while modern recommendations (particularly from NIST) focus more on length, adding a third or fourth character type also significantly increases strength. However, length is still the main factor: 16-20 characters provide better protection than short, albeit complex passwords.
To increase security, it is recommended to switch from traditional passwords to meaningful phrases. Long but easy-to-remember phrases like “SunsetCoffeeMaroonReview” are much more reliable and convenient than character sets like “!x9#A7b!”. This approach reduces the number of typing errors, calls to technical support, and fatigue from constantly changing passwords.
The main threats associated with the use of weak passwords remain the same.
Ease of hacking: short combinations are easily susceptible to automated attacks, especially when using graphics accelerators and botnets.
Reuse: one compromised password often opens access to many systems.
non-compliance with regulations: weak passwords violate the requirements of such regulations as GDPR, HIPAA and PCI DSS. All this entails fines, audits and reputational losses.
At the same time, even a good hashing implementation does not save from the weakness of the password itself: if the database is stolen and the password is easily brute-forced, neither salt nor algorithms will help.
The findings of the study lead to a simple truth: weak passwords are still ubiquitous. Only a comprehensive policy that includes control over length, complexity, uniqueness and timely updates can protect corporate infrastructure from basic attacks. And, as statistics show, most companies still have a lot of work to do in this area.
