A recent report analyzed more than 800 million breached passwords revealing passwords are the weakest link in an organization’s network.

According to the Specops Software annual Weak Password Report, “password”, “admin”, “welcome” and “p@ssw0rd” were the most common base terms used in passwords. The study also found that 88% of passwords used in successful attacks were 12 characters or less, with eight characters being the most common at 24%. At 18.82%, passwords containing only lowercase letters were the most common character combination.

A common tactic sued by cybercriminals are brute force attacks used to gain access into an organization’s network and steal sensitive data. Common, probable and breached passwords are systematically run against a user’s email to gain access, the report states.

While the annual report showed weak passwords were often used in successful attacks, it also revealed that 83% of compromised passwords satisfied both length and complexity requirements of cybersecurity compliance standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC.

“This shows that while organizations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique,” said Specops Software Product Manager Darren James. “With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data.”

With these results in mind, the report offered some password protection best practices for organizations to protect corporate data.

  • For most business, this starts with protecting Active Directory, the universal authentication solution for Windows domain networks.
  • Default password policy settings in Active Directory do not go far enough. Third-party password security software can strengthen Active Directory accounts.
  • Look for a solution that can block the use of compromised passwords and commonly used terms with custom dictionaries.