Despite an increased focus on identity, multifactor authentication and password security, passwords continue to be vulnerable to attack, according to a new report from password security provider Specops Software.
According to the study, The 2022 Weak Password Report, 93% of password attacks use passwords with at least eight characters, suggesting that attackers are aware of password length requirements from bodies such as the National Institute of Standards and Technology (NIST).
The report also suggests that other password complexity requirements, such as another character type, aren’t doing much to secure passwords, as 68% of passwords used in real attacks also contain two character types.
Specops also analyzed passwords attacks more than 12 characters long, as many organizations require passwords of that length. However, attackers are again aware of this, with 41% of passwords used in real attacks being at least 12 characters.
The firm analyzed passwords used in brute force attacks, and found that both some complex and simple passwords were commonly used.
In attacks using passwords with at least 12 characters, these were the 10 most common passwords:
The passwords are long and are considered complex, with a combination of letters, numbers and symbols, but that still isn’t enough to protect from password attacks, according to Specops.
The company also analyzed password attacks against SMB protocol, and found the top 10 most common passwords in those attacks:
The survey also identified significant security gaps in enterprise password security, finding that 54% of users rely on insecure methods of password management, including physical paper, using the same or variations of the same password and storing passwords in a computer file.
Further, 65% said they share passwords at work, and nearly half have 11 or more passwords they have to remember for work.
However, it’s not just end users at fault for these poor security practices, as the report identified shortcomings in the IT department, including the fact that 48% of organizations don’t have a user verification policy in place for incoming calls.
In addition, 28% of companies that do have a user verification policy are not satisfied with the current policy, with most relying on knowledge-based questions using static Active Directory information such as an employee ID, a manager’s name, or other personal information.