Password complexity rules aren't enough to protect employees from attack
Report says companies need better password management to protect themselves
Password length and complexity rules are not enough to prevent brute force attacks, a new report released today has warned.
The report, from password auditing company Specops Software, analyzed more than 800 million breached passwords. It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more.
Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.
The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.
Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work. Most of these sharers said that they 'just remembered' their passwords, suggesting that they use weaker passwords.
One way that people create memorable passwords while complying with complexity rules is to use root words based on their common interests, warned the report. It found seasons, months, movies, and sports teams among the most common components of complex passwords.
Edge to cloud security: A new WAN and security edge
A practical guide to adopting a secure access service edge (SASE) architecture
Free DownloadStronger password management is one answer to the problem, but the report found respondents lacking. Of the 2,000 office workers that the company surveyed, 54% were using insecure password management methods. A little under a quarter still wrote their passwords down on paper, which is more than those using password managers.
Another problem facing respondents was insecure password reset mechanisms. When users need to reset their passwords, they'll often call into a help desk. This should require some verification to stop intruders hijacking passwords with fraudulent resets, but 48% of its respondents did not have a user verification policy in place for incoming calls. Of those that did, 28% of respondents identified security and usability issues with the process. This included using static ID information easily sourced from other means.
Companies have adopted alternatives to password-only security mechanisms over the last few years, including two-factor authentication and passwordless security.
IT best practices for accelerating the journey to carbon neutrality
Considerations and pragmatic solutions for IT executives driving sustainable IT
Free DownloadThe Total Economic Impact™ of IBM Spectrum Virtualize
Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize
Free downloadUsing application migration and modernisation to supercharge business agility and resiliency
Modernisation can propel your digital transformation to the next generation
Free Download
