Password Security

In today's digital age, password security is of paramount importance. With the increasing number of online accounts and the rise in cybercrime, it is essential to protect our personal information and prevent unauthorized access.

When it comes to online security, one of the fundamental aspects that users and organizations focus on is password length. It's a commonly held belief that longer passwords equate to better security. But is this really the case? In this article, we'll delve into the intricacies of password security, exploring the impact of password length and how it can still leave you vulnerable to cyber threats.

Why is password security important?

Password security is crucial for several reasons:

  • Data Protection: A strong password helps safeguard sensitive data such as financial information, personal emails, and social media accounts from being compromised.
  • Identity Theft Prevention: Weak or easily guessable passwords can lead to identity theft, where malicious individuals gain unauthorized access to your accounts and impersonate you.
  • Account Security: With a strong password, the chances of someone hacking into your accounts are significantly reduced. This helps protect your online presence and maintain control over your digital assets.

Tips for creating a secure password

Follow these best practices to enhance your password security:

  • Length and Complexity: Use passwords that are at least 12 characters long and include a combination of uppercase and lowercase letters, numbers, and special characters.
  • Avoid Common Passwords: Do not use easily guessable passwords such as "password" or "123456." Hackers can easily crack these common passwords.
  • Unique Passwords: Use a unique password for each of your online accounts. Avoid reusing passwords, as one compromised account can put all your other accounts at risk.
  • Two-Factor Authentication (2FA): Enable two-factor authentication whenever possible. This adds an extra layer of security by requiring a second form of verification, such as a fingerprint or a code sent to your phone.
  • Password Manager: Consider using a password manager tool to securely store and manage your passwords. These tools generate strong passwords and remember them for you, reducing the need to remember multiple complex passwords.

Long Passwords Can Still Be Cracked

Recent research by Specops Software has shed light on the startling fact that even long passwords are not impervious to cyberattacks. Passwords with 15 characters, often considered secure, have been found among the top ten most commonly compromised password lengths. Surprisingly, the most compromised length was eight characters, accounting for a staggering 212.5 million passwords.

Does Increasing Password Length Improve Security?

At first glance, it might seem that using longer passwords is the key to protecting your online accounts. According to Darren James, Senior Product Manager at Specops Software, "longer passwords are better." Longer passwords are indeed harder to crack through brute force attacks, taking up to 37 million years to crack compared to just five minutes for an eight-character password.

The Importance of Longer Passwords

However, it's crucial to understand that while longer passwords provide a layer of security, they are not foolproof. Attackers can find workarounds, and user behavior can undermine even a strong password policy. Furthermore, longer passwords won't shield you from other risks, such as phishing attacks or password reuse.

Password Length vs. Compromise Risk

Specops Software's research reveals that the majority of compromised passwords are under 12 characters in length, with 85% falling into this category. As password length increases, the total number of compromised passwords decreases. But this doesn't mean you can let your guard down.

Most Common Compromised Password Lengths

To gain a deeper understanding, let's look at the most common compromised password lengths in descending order:

  1. 8 characters
  2. 10 characters
  3. 9 characters
  4. 11 characters
  5. 12 characters
  6. 13 characters
  7. 14 characters
  8. 15 characters

It's worth noting that 8-character passwords are prevalent, possibly because they are the default length for Active Directory passwords.

Compromised Password Length Statistics

Out of these lengths, 121.5 million compromised passwords were found to be long (12 characters or more). Even passwords exceeding 16 characters in length had 31.1 million compromised instances. This data underscores that longer passwords alone do not guarantee protection against cyber threats.

Common Compromised Passwords

Let's take a closer look at the most common compromised passwords for each length category between 8-15 characters. Not surprisingly, "password" tops the list for 8-character passwords.

  • 8 characters: "password"
  • 10 characters: [Password data]
  • 15 characters: "Sym_newhireOEIE" and "Sym_newhireOAIE"

Password Patterns and Predictability

Interestingly, the phrase "new hire" appears as the second and third most commonly compromised 15-character passwords. This highlights the need for organizations to avoid predictable and repeatable password patterns, especially during onboarding processes.

Risks of Password Reuse

One of the significant vulnerabilities in password security is password reuse. It's common for individuals to use the same or slight variations of passwords across multiple sites and applications. This practice poses a substantial risk, especially if a hacker gains access to a database of passwords from a less secure website or software-as-a-service (SaaS) application.

The Challenge of Managing Multiple Passwords

As the average knowledge worker must remember passwords for more than 25 sites or apps, password management becomes increasingly complex. Surprisingly, over 60% of knowledge workers use the same or similar passwords across various platforms. This exposes organizations to the danger of password reuse.

Mitigating Password Reuse and Compromised Credentials

To mitigate the risks associated with password reuse and compromised credentials, organizations need a multi-pronged approach. While longer passwords are essential, they are only part of the solution.

Tools for Password Security Auditing

To assess your organization's password-related vulnerabilities, you can utilize tools like Specops Password Auditor. This free tool offers a quick health check of your Active Directory, scanning it against a list of over 950 million compromised passwords. It provides a read-only scan and a report on weak or compromised passwords within your system.

Daily Scans for Compromised Passwords

Continuous monitoring is key to ensuring robust security. Specops Password Policy and Breached Password Protection offer daily scans of your Active Directory passwords against a list of over 4 billion unique compromised passwords. This continuous scanning is far more proactive than solutions that only check during password resets or expirations.

Enhancing Password Security with Breached Password Protection

The Breached Password Protection service is a robust defense against cyber threats. It safeguards against the use of over 4 billion known compromised passwords, including data from known leaks and honeypot systems. The service is updated daily with newly discovered passwords.

Comprehensive Defense Against Password Attacks

Daily updates, coupled with continuous scans for compromised passwords, provide comprehensive protection against password attacks and the risk of password reuse. Compromised passwords are blocked in Active Directory, and users are promptly notified via customizable SMS or email alerts.