Understanding password behavior key to developing stronger cybersecurity protocols
Passwords are still the weakest link in an organization’s network, as proven by the analysis of over 800 million breached passwords, according to Specops Software.
The study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being 8 characters (24%).
The most common base terms used in passwords were: ‘password’, ‘admin’, ‘welcome’ and ‘p@ssw0rd’.
Passwords containing only lowercase letters were the most common character combination found, making up 18.82% of passwords used in attacks.
The sophistication of modern password attacks
Ironically, the study revealed that 83% of compromised passwords did satisfy both length and complexity requirements of cybersecurity compliance standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC.
“This shows that while organizations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique,” said Darren James, product manager at Specops Software.
“With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data,” James continued.
Furthermore, brute force attacks are a common tactic used by cybercriminals to gain access into an organization’s network to steal sensitive data. Threat actors will use common, probable, and even breached passwords to systematically run them against a user’s email to gain access to a given account.
For example, the Specops researchers also noticed the inclusion of ‘homelesspa’ – a password term found in 2016 MySpace data leak, proving that ‘old’, breached password terms are still being leveraged by hackers many years later.
This is a critical reason why organizations need strong password policy enforcement.
Strong password policy enforcement
In Nvidia’s data breach in 2022, where thousands of employee passwords were leaked, many employees had used passwords such as ‘Nvidia’, ‘qwerty’ and ‘nvidia3d’.
Having passwords related to the organization is an easy route for hackers into the network. Despite industry warnings against easily guessable passwords, users still resort to common passwords.
“The 2023 edition of the Weak Password Report reiterates the ongoing challenges of securing the weakest link in the enterprise IT environment,” said James. “To stay on top of today’s credential attacks, all companies should put strong password policy enforcement in place, including custom dictionaries related to the organization.”
Even with end-user training, password reuse and other risky practices are all too common.