Password complexity rules aren't enough to protect employees from attack

A list of poorly-constructed passwords on a notepad
(Image credit: Shutterstock)

Password length and complexity rules are not enough to prevent brute force attacks, a new report released today has warned.

The report, from password auditing company Specops Software, analyzed more than 800 million breached passwords. It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more.

The top 12 password-cracking techniques used by hackers More than 90% of IT decision makers reuse passwords

Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.

The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.

Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work. Most of these sharers said that they 'just remembered' their passwords, suggesting that they use weaker passwords.

One way that people create memorable passwords while complying with complexity rules is to use root words based on their common interests, warned the report. It found seasons, months, movies, and sports teams among the most common components of complex passwords.


Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture


Stronger password management is one answer to the problem, but the report found respondents lacking. Of the 2,000 office workers that the company surveyed, 54% were using insecure password management methods. A little under a quarter still wrote their passwords down on paper, which is more than those using password managers.

Another problem facing respondents was insecure password reset mechanisms. When users need to reset their passwords, they'll often call into a help desk. This should require some verification to stop intruders hijacking passwords with fraudulent resets, but 48% of its respondents did not have a user verification policy in place for incoming calls. Of those that did, 28% of respondents identified security and usability issues with the process. This included using static ID information easily sourced from other means.

Companies have adopted alternatives to password-only security mechanisms over the last few years, including two-factor authentication and passwordless security.

Danny Bradbury

Danny Bradbury has been a print journalist specialising in technology since 1989 and a freelance writer since 1994. He has written for national publications on both sides of the Atlantic and has won awards for his investigative cybersecurity journalism work and his arts and culture writing. 

Danny writes about many different technology issues for audiences ranging from consumers through to software developers and CIOs. He also ghostwrites articles for many C-suite business executives in the technology sector and has worked as a presenter for multiple webinars and podcasts.