Organizations need to change their current password usage and policies, and do it fast

Password-related attacks are on the rise. Stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks made possible by hackers stealing a single password.

Data released by Specops Software shows that setting strong passwords might not be enough in an increasingly volatile cybersecurity landscape.

Specops analyzed 800 million breached passwords in order to identify current password security trends. Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organization’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.

Findings show that the issue is not as simple as users resorting to easy-to-remember logins like “password12345.” In fact, even passwords following typical guidelines on length and special characters remain vulnerable to attacks.

What is fueling password-related attacks

• 93% of the passwords used in brute force attacks include 8 or more characters
• 41% of passwords used in real attacks are 12 characters or longer
• 68% of passwords used in real attacks include at least two character types
• 48% of organizations do not have user verification in place for calls to the IT service desks
• 54% of organizations do not have a tool to manage work passwords

“Passwords are still the key to protecting our most private information, from email accounts to online banking, but these findings indicate that simply following password best practices is not enough to guard accounts,” said Darren James, Head of Internal IT, Specops Software.

“With some of the most high-profile cybersecurity incidents of the last two years involving passwords, it’s imperative that organizations implement password policies to block weak or breached passwords and utilize additional authentication methods to ensure the security of sensitive business data and accounts.”

Holistic password hygiene needs to be better prioritized from the leadership level to individuals working at home. It’s critical for businesses to take action by blocking weak and compromised passwords, enforcing password length requirements, implementing user verification at the service desk, and auditing the enterprise environment to highlight password-related vulnerabilities.