IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Password complexity rules aren't enough to protect employees from attack

Report says companies need better password management to protect themselves

Password length and complexity rules are not enough to prevent brute force attacks, a new report released today has warned.

The report, from password auditing company Specops Software, analyzed more than 800 million breached passwords. It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more.

Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.

The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.

Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work. Most of these sharers said that they 'just remembered' their passwords, suggesting that they use weaker passwords.

One way that people create memorable passwords while complying with complexity rules is to use root words based on their common interests, warned the report. It found seasons, months, movies, and sports teams among the most common components of complex passwords.

Related Resource

Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture

Orange whitepaper cover with image of someone at a laptop on a video conference call with other people smiling backFree Download

Stronger password management is one answer to the problem, but the report found respondents lacking. Of the 2,000 office workers that the company surveyed, 54% were using insecure password management methods. A little under a quarter still wrote their passwords down on paper, which is more than those using password managers.

Another problem facing respondents was insecure password reset mechanisms. When users need to reset their passwords, they'll often call into a help desk. This should require some verification to stop intruders hijacking passwords with fraudulent resets, but 48% of its respondents did not have a user verification policy in place for incoming calls. Of those that did, 28% of respondents identified security and usability issues with the process. This included using static ID information easily sourced from other means.

Companies have adopted alternatives to password-only security mechanisms over the last few years, including two-factor authentication and passwordless security.

Featured Resources

IT best practices for accelerating the journey to carbon neutrality

Considerations and pragmatic solutions for IT executives driving sustainable IT

Free Download

The Total Economic Impact™ of IBM Spectrum Virtualize

Cost savings and business benefits enabled by storage built with IBMSpectrum Virtualize

Free download

Using application migration and modernisation to supercharge business agility and resiliency

Modernisation can propel your digital transformation to the next generation

Free Download

The strategic CFO

Why finance transformation propels business value

Free Download

Most Popular

The big PSTN switch off: What’s happening between now and 2025?

The big PSTN switch off: What’s happening between now and 2025?

13 Mar 2023
Why – and how – IP can be the hero in your digital transformation success story

Why – and how – IP can be the hero in your digital transformation success story

6 Mar 2023
Why Amazon is cutting staff from AWS

Why Amazon is cutting staff from AWS

21 Mar 2023