Even with other forms of authentication such as biometric and multi-factor authentication, passwords are still relevant and remain the most widely used form of authentication. Strong passwords are an effective tool in protecting personal data. “Strong” is the keyword here, however, and most people do not use passwords that would fall under that “strong” category.
In fact, a Specops Software study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being eight characters.
Specops used Nvidia’s 2022 data breach as an example. In the breach, where thousands of employee passwords were leaked, many employees had used passwords such as “Nvidia,” “qwerty” and “nvidia3d.” Outside of Nvidia, other common base terms used in general passwords were “password” “admin,” “welcome” and “p@ssw0rd.”
It’s baffling to see these types of passwords used as a would-be defense against hackers. No wonder hackers bypass passwords related to the organization with ease. And users will likely continue to resort to these common passwords even with warnings passed on to them as well as end-user security training.
Funny enough, depending on how it is looked at, strong passwords that are compliant with NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC standards contributed to 83% of compromised passwords. (Maybe the compliance standards need to be revisited?) Especially if what they call “strong” passwords still need to be used in conjunction with other security measures and good security practices to ensure that account and personal data are safe.
As for security teams, they naturally feel left in the dark, especially the more end users they have.
To protect corporate data, organizations need to protect Active Directory, the universal authentication solution for Windows domain networks. Protecting Active Directory is effectively accomplished by using third-party password security software to strengthen Active Directory accounts. Organizations need to look for a solution that blocks the use of compromised passwords and commonly used terms with custom dictionaries.
“While organizations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique,” said Darren James, Product Manager at Specops Software. “With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data. Companies should put strong password policy enforcement in place, including custom dictionaries related to the organization.”
Edited by
Alex Passett
