Want to avoid getting hacked? Make your passwords longer than eight characters, don’t use anything that approximates common terms such as "password," "admin," "welcome" or "p@ssw0rd," and stay away from passwords with only lowercase letters.
Passwords: The Weakest Link
Many, if not most, users know these guidelines. So why are passwords still the weakest link in an organization’s network?
Answer #1: "Knowing" and "doing" are not the same thing.
Answer #2: Stronger password management and authentication are needed.
Without strong passwords across your entire organization, you’re asking for big trouble, said Specops Software, in its newly released, annual Weak Password Report that analyzed over 800 million breached passwords. The study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being eight characters (24%).
Ironically, more than eight in 10 compromised passwords (83%) did satisfy both length and complexity requirements of cybersecurity compliance standards, such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC (National Cyber Security Centre). What does that mean? It indicates security compliance with passwords isn't enough.
“This shows that while organizations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique,” said Darren James, product manager at Specops. “With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data.”
A Cautionary Tale
Brute force attacks, where attackers try to guess a target’s sign-on credentials and through trial and error, ultimately may hit on the right combination to gain access to the account, Specops said, Thus, hackers may resort to using common, probable and even breached passwords to systematically run them against a user’s email to break into a given account.
In a cautionary tale, Specops pointed to a real-world example in a hack of Nvidia in 2022 when thousands of employee passwords were leaked. As it turned out, many employees had used passwords such as "Nvidia," "qwerty" and "nvidia3d."
Again, using passwords that directly relate to an organization paves the way for a data breach. No matter the voluminous warnings of security experts on solid passwords, users nonetheless resort to using common passwords. Even with end-user training, password reuse and other risky practices are all too common, Specops said.
To protect corporate data, Specops recommends three key enforcement measures:
- For most businesses, this starts with protecting Active Directory, the universal authentication solution for Windows domain networks.
- Default password policy settings in Active Directory do not go far enough. Third-party password security software can strengthen Active Directory accounts.
- Look for a solution that can block the use of compromised passwords and commonly used terms with custom dictionaries.