The 2022 Weak Password Report

[Gandalf_The_Grey]

Content source

https://specopssoft.com/our-resources/specops-weak-password-report/

Password attacks are on the rise because passwords themselves are very vulnerable to attack. What specifically makes them vulnerable? This year’s Weak Password Report takes a look at both the human side and the tech side of why passwords are the weakest link in an organization’s network.

From real world attack data to passwords inspired by pop culture, the 2022 Weak Password Report has insights into just how vulnerable passwords truly are.

Some highlights:

• 93% of the passwords used in brute force attacks include 8 or more characters
• 54% of organizations do not have a tool to manage work passwords
• The Cincinnati Reds top the list of most popular baseball teams found in compromised password lists
• 48% of organizations do not have user verification in place for calls to the IT service desk
• 41% of passwords used in real attacks are 12 characters or longer
• 42% of seasonal passwords contained the word “summer”
• 68% of passwords used in real attacks include at least two character types

The research in this report has been compiled through proprietary surveys and data analysis of 800 million breached passwords, a subset of the more than 2 billion breached passwords within Specops Breached Password Protection list. The data analysis looked at any password containing words within a particular theme. While it is impossible to say that using the word “angels” in a password is related to the baseball team in Los Angeles, the prevalence of words related to the themes demonstrates the problems of password reuse and compromised passwords.

The data in this report should bring awareness to this all-too common problem. The next step is to take action, which means blocking weak and compromised passwords, enforcing password length requirements, enforcing user verification at the service desk and auditing the enterprise environment to highlight password-related vulnerabilities.

Pdf-report:

https://specopssoft.com/wp-content/uploads/2022/02/Specops-Software-Weak-Password-Report-2022-2.pdf

 

[Gandalf_The_Grey]

On Bleeping Computer now (sponsored by Specops):
The top 5 things the 2022 Weak Password Report means for IT security

1. Password Length Does Not Guarantee Password Safety
2. Password Is Often Seasonal or Influenced by Pop Culture
3. Password Complexity Does Not Prevent Credential Theft
4. Password Overload is a Big Problem
5. Organizations Could Be Doing a Lot More to Keep Passwords Safe

The top 5 things the 2022 Weak Password Report means for IT security

Given that passwords have had such unprecedented longevity, it would seem that password security best practices would be refined to the point of perfection. Even so, Specops Software's first annual Weak Password Report has yielded some interesting results that may cause you to rethink the way...

www.bleepingcomputer.com

 

[show-Zi]

We hope that the time will come when you can use non-alphabetic characters in your passwords.

 

[MuzzMelbourne]

I give up… come and take my stuff you mongrels!

 

[Thales]

I've been tired of trying for a long time.

My girlfriend use 1 simple password everywhere (I know, I know ) but her digital life is so simple.
She doesn't even care those things that was mentioned above. She use 2FA on 3 sites (facebook, gmail, bank). That's all.
In contrast I use password manager, 150+ bit passwords, 2FA, veracrypt, keyfiles, different clouds and external drives for backup etc and my life is full of inconveniences.

 

[blackice]

I've been tired of trying for a long time.

My girlfriend use 1 simple password everywhere (I know, I know ) but her digital life is so simple.
She doesn't even care those things that was mentioned above. She use 2FA on 3 sites (facebook, gmail, bank). That's all.
In contrast I use password manager, 150+ bit passwords, 2FA, veracrypt, keyfiles, different clouds and external drives for backup etc and my life is full of inconveniences.

Yep, most accounts don’t need that level of security. But we (security enthusiasts) all have the built in paranoia. It’s similar to the online privacy fight. I’ve mostly moved to considering my online endeavors to be done in public and not worry about it. I’m too tired.

 

[Numeriku]

I am fine with my 16 char password, i have it memorized in my mind after years using it, though i constantly check if the password is breached on any of the companies i use.

 

[ForgottenSeer 94654]

Weak passwords have always been one of the worst IT security pandemics. They can unravel even the strongest & most resilient of endpoint security configs and networks.