- Jan 8, 2011
New research from Specops Software has found that even passwords 15 characters long make it into the top ten of the most common password lengths to be compromised (placing eighth). The most compromised length was eight characters, accounting for 212.5 million out four billion in the company's Breached Password Protection Database.
Story via Bad news - turns out even long passwords can be cracked easilySpecops calculates that to crack an eight character password, even those that contain numbers and both upper and lower case characters, can take a mere five minutes. On the other hand, a 15 character password can take up to 37 million years to crack.
However, the report warns that this "shouldn't give organizations a false sense of security, as this is only part of the password security battle." For instance, it won't matter if the credentials are stolen via phishing attacks.
New Specops research looks into the data around longer passwords. Learn how they boost cybersecurity and where hackers can get around them.
We wanted to know the most common length of a compromised password, and how many longer passwords were being breached. To find out, the Specops research team analyzed the lengths of over 800 million compromised passwords (a subset of our larger Breached Password Protection list of over 4 billion unique compromised passwords). For the purpose of this research, we considered a password over 12 characters to be long.
Compromised password lengths: The resultsIn descending order, these are the eight most common lengths for compromised passwords. As expected, 8 characters (212.5 million total compromised passwords were 8 characters exactly) is at the top – likely because it is the default password length in Active Directory. You can also see that as character length increases, the total amount of compromised passwords decrease. However, this doesn’t mean we’re talking small numbers.
The below table shows how many compromised passwords we found above five given lengths. If we’re counting 12 and over as a ‘longer password’ then 121.5 million compromised passwords were found to be long. As you can see, the number of compromised passwords does decrease as character length increases, but there are still 31.1 million compromised passwords over 16 characters in length.
This shows that having longer passwords doesn’t protect you from attacks. Even if the total numbers are smaller compared to 8-character passwords, these numbers still represent tens of millions of opportunities for attackers to breach organizations using longer passwords.
Blog: [New research] Do longer passwords protect you from compromise?