IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Password complexity rules aren't enough to protect employees from attack

Report says companies need better password management to protect themselves

Password length and complexity rules are not enough to prevent brute force attacks, a new report released today has warned.

The report, from password auditing company Specops Software, analyzed more than 800 million breached passwords. It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more.

Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.

The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.

Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work. Most of these sharers said that they 'just remembered' their passwords, suggesting that they use weaker passwords.

One way that people create memorable passwords while complying with complexity rules is to use root words based on their common interests, warned the report. It found seasons, months, movies, and sports teams among the most common components of complex passwords.

Related Resource

Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture

Orange whitepaper cover with image of someone at a laptop on a video conference call with other people smiling backFree Download

Stronger password management is one answer to the problem, but the report found respondents lacking. Of the 2,000 office workers that the company surveyed, 54% were using insecure password management methods. A little under a quarter still wrote their passwords down on paper, which is more than those using password managers.

Another problem facing respondents was insecure password reset mechanisms. When users need to reset their passwords, they'll often call into a help desk. This should require some verification to stop intruders hijacking passwords with fraudulent resets, but 48% of its respondents did not have a user verification policy in place for incoming calls. Of those that did, 28% of respondents identified security and usability issues with the process. This included using static ID information easily sourced from other means.

Companies have adopted alternatives to password-only security mechanisms over the last few years, including two-factor authentication and passwordless security.

Featured Resources

Accelerating AI modernisation with data infrastructure

Generate business value from your AI initiatives

Free Download

Recommendations for managing AI risks

Integrate your external AI tool findings into your broader security programs

Free Download

Modernise your legacy databases in the cloud

An introduction to cloud databases

Free Download

Powering through to innovation

IT agility drive digital transformation

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks
Security

LockBit 2.0 ransomware disguised as PDFs distributed in email attacks

27 Jun 2022
Open source giant Red Hat joins HPE GreenLake ecosystem
automation

Open source giant Red Hat joins HPE GreenLake ecosystem

28 Jun 2022
Carnival hit with $5 million fine over cyber security violations
cyber security

Carnival hit with $5 million fine over cyber security violations

27 Jun 2022