Content, Breach, Content

Poor Passwords Still Weakest Link Hackers Seek, Report Reveals

single sign on (SSO) to login other webpage with one username and password vector

Want to avoid getting hacked? Make your passwords longer than eight characters, don’t use anything that approximates common terms such as "password," "admin," "welcome" or "p@ssw0rd," and stay away from passwords with only lowercase letters.

Passwords: The Weakest Link

Many, if not most, users know these guidelines. So why are passwords still the weakest link in an organization’s network?

Answer #1: "Knowing" and "doing" are not the same thing.

Answer #2: Stronger password management and authentication are needed.

Without strong passwords across your entire organization, you’re asking for big trouble, said Specops Software, in its newly released, annual Weak Password Report that analyzed over 800 million breached passwords. The study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being eight characters (24%).

Ironically, more than eight in 10 compromised passwords (83%) did satisfy both length and complexity requirements of cybersecurity compliance standards, such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC (National Cyber Security Centre). What does that mean? It indicates security compliance with passwords isn't enough.

“This shows that while organizations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique,” said Darren James, product manager at Specops. “With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data.”

A Cautionary Tale

Brute force attacks, where attackers try to guess a target’s sign-on credentials and through trial and error, ultimately may hit on the right combination to gain access to the account, Specops said, Thus, hackers may resort to using common, probable and even breached passwords to systematically run them against a user’s email to break into a given account.

In a cautionary tale, Specops pointed to a real-world example in a hack of Nvidia in 2022 when thousands of employee passwords were leaked. As it turned out, many employees had used passwords such as "Nvidia," "qwerty" and "nvidia3d."

Again, using passwords that directly relate to an organization paves the way for a data breach. No matter the voluminous warnings of security experts on solid passwords, users nonetheless resort to using common passwords. Even with end-user training, password reuse and other risky practices are all too common, Specops said.

To protect corporate data, Specops recommends three key enforcement measures:

  • For most businesses, this starts with protecting Active Directory, the universal authentication solution for Windows domain networks.
  • Default password policy settings in Active Directory do not go far enough. Third-party password security software can strengthen Active Directory accounts.
  • Look for a solution that can block the use of compromised passwords and commonly used terms with custom dictionaries.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.