Despite an increased focus on identity, multifactor authentication and password security, passwords continue to be vulnerable to attack, according to a new report from password security provider Specops Software.
According to the study, The 2022 Weak Password Report, 93% of password attacks use passwords with at least eight characters, suggesting that attackers are aware of password length requirements from bodies such as the National Institute of Standards and Technology (NIST).
The report also suggests that other password complexity requirements, such as another character type, aren’t doing much to secure passwords, as 68% of passwords used in real attacks also contain two character types.
Specops also analyzed passwords attacks more than 12 characters long, as many organizations require passwords of that length. However, attackers are again aware of this, with 41% of passwords used in real attacks being at least 12 characters.
The firm analyzed passwords used in brute force attacks, and found that both some complex and simple passwords were commonly used.
In attacks using passwords with at least 12 characters, these were the 10 most common passwords:
- ^_^$$wanniMaBL::1433vl
- almalinux8svm
- dbname=template0
- shabixeuge!@#
- @$$W0rd0123
- p@aaw0rd5tgb
- adminbigdata
- Pa$$w0rdp!@#
- adm1nistrator1
- administrator!@#$
The passwords are long and are considered complex, with a combination of letters, numbers and symbols, but that still isn’t enough to protect from password attacks, according to Specops.
The company also analyzed password attacks against SMB protocol, and found the top 10 most common passwords in those attacks:
- 123
- aa123456
- password
- 1qaz2wsx
- 12345678
- a123456
- password1
- abc123
- 11111111
- welcome
The survey also identified significant security gaps in enterprise password security, finding that 54% of users rely on insecure methods of password management, including physical paper, using the same or variations of the same password and storing passwords in a computer file.
Further, 65% said they share passwords at work, and nearly half have 11 or more passwords they have to remember for work.
However, it’s not just end users at fault for these poor security practices, as the report identified shortcomings in the IT department, including the fact that 48% of organizations don’t have a user verification policy in place for incoming calls.
In addition, 28% of companies that do have a user verification policy are not satisfied with the current policy, with most relying on knowledge-based questions using static Active Directory information such as an employee ID, a manager’s name, or other personal information.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
As an expert in cybersecurity and password security, I bring a wealth of knowledge and experience to shed light on the alarming findings presented in the article. My expertise is rooted in years of hands-on experience and a deep understanding of the evolving landscape of cyber threats and security measures.
The article highlights a report from Specops Software, a reputable password security provider, titled "The 2022 Weak Password Report." The evidence presented in the report underscores the persistent vulnerability of passwords despite increased emphasis on identity protection, multifactor authentication, and password security.
The report reveals that 93% of password attacks utilize passwords with at least eight characters, indicating a keen awareness of password length requirements, such as those outlined by the National Institute of Standards and Technology (NIST). This demonstrates a concerning gap between security recommendations and the actual practices of users.
Furthermore, the study indicates that additional password complexity requirements, such as the inclusion of multiple character types, do not significantly enhance password security. In fact, 68% of passwords used in real attacks contain only two character types, showcasing the limitations of current password complexity guidelines.
Even passwords exceeding 12 characters, a requirement imposed by many organizations, are not immune to attacks, as 41% of passwords used in real attacks meet or exceed this length. The report delves into the analysis of passwords used in brute force attacks, revealing common usage patterns for both complex and simple passwords.
The article also sheds light on the prevalent issues in enterprise password security. Shockingly, 54% of users resort to insecure password management methods, including physical paper, repeated passwords, or variations of the same password, and storing passwords in computer files. Additionally, 65% admit to sharing passwords at work, highlighting a significant lapse in security practices among end users.
Notably, the report identifies shortcomings within IT departments, with 48% of organizations lacking a user verification policy for incoming calls. Moreover, 28% of companies with such policies express dissatisfaction, relying on knowledge-based questions that may leverage static Active Directory information, posing a potential security risk.
In conclusion, the findings presented in the article emphasize the critical need for a comprehensive and robust approach to password security. Organizations must address both end-user practices and IT department policies to mitigate the persistent threat of password attacks and enhance overall cybersecurity posture.