IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Password complexity rules aren't enough to protect employees from attack

Report says companies need better password management to protect themselves

Password length and complexity rules are not enough to prevent brute force attacks, a new report released today has warned.

The report, from password auditing company Specops Software, analyzed more than 800 million breached passwords. It found that 93% of the passwords used in brute force attacks were eight characters or more in length, while 41% were 12 characters or more.

Password complexity rules don't always help either; 68% of passwords used in real attacks used at least two character types, found the report.

The company warns that simply using longer and more complex passwords is not enough to avoid brute force attacks given that so many have been compromised already, adding that overly complex passwords might cause people to reuse a single one more often. With over nine in ten IT decision makers reusing passwords, trying them across multiple accounts is a top technique for hackers.

Sharing passwords is another threat to password security, and yet two thirds of respondents admitted to doing this at work. Most of these sharers said that they 'just remembered' their passwords, suggesting that they use weaker passwords.

One way that people create memorable passwords while complying with complexity rules is to use root words based on their common interests, warned the report. It found seasons, months, movies, and sports teams among the most common components of complex passwords.

Related Resource

Edge to cloud security: A new WAN and security edge

A practical guide to adopting a secure access service edge (SASE) architecture

Orange whitepaper cover with image of someone at a laptop on a video conference call with other people smiling backFree Download

Stronger password management is one answer to the problem, but the report found respondents lacking. Of the 2,000 office workers that the company surveyed, 54% were using insecure password management methods. A little under a quarter still wrote their passwords down on paper, which is more than those using password managers.

Another problem facing respondents was insecure password reset mechanisms. When users need to reset their passwords, they'll often call into a help desk. This should require some verification to stop intruders hijacking passwords with fraudulent resets, but 48% of its respondents did not have a user verification policy in place for incoming calls. Of those that did, 28% of respondents identified security and usability issues with the process. This included using static ID information easily sourced from other means.

Companies have adopted alternatives to password-only security mechanisms over the last few years, including two-factor authentication and passwordless security.

Featured Resources

Activation playbook: Deliver data that powers impactful, game-changing campaigns

Bringing together data and technology to drive better business outcomes

Free Download

In unpredictable times, a data strategy is key

Data processes are crucial to guide decisions and drive business growth

Free Download

Achieving resiliency with Everything-as-a-Service (XAAS)

Transforming the enterprise IT landscape

Free Download

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

13 May 2022
Preparing for the 3G sunset
Network & Internet

Preparing for the 3G sunset

18 May 2022
(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security
Careers & training

(ISC)2 launches free scheme to get 100,000 UK citizens into cyber security

17 May 2022