Despite years of warnings, people continue to use easy-to-guess passwords. Given the number of accounts we all have, it isn’t surprising that people regularly recycle, upcycle, or reuse passwords (that potentially weren’t strong to start). This is even more unsurprising when you consider that 41% of Americans rely on memory alone to store their passwords.
The 2023 Weak Password Report by SpecOps studied 800 million breached passwords to look at password trends. We dug into the report to tease out some key lessons for businesses looking to implement better password policies.
Key Findings in the 2023 SpecOps Weak Password Report
The key findings and trends in the 2023 Weak Password Report can be summarized as follows:
- ‘Password’ is the most common base term found in breached passwords.
- 24% of passwords used in live attacks contained just 8 characters.
- People tend to use their surroundings and current events to ‘inspire’ their passwords. This was evident in the number of breached passwords containing a base word relating to the month of the year, their employer, or current sports events (like the Soccer World Cup).
Tips to Improve Your Password Policy
- Passwords Should Be Longer Than 12 Characters. More than 88% of passwords used in brute force attacks were 12 characters or less and many contained only lower-case characters.
- Screen passwords adopted by your team against commonly-used terms, current events, and your organisation’s name (or similar) – and require users to update their password if it contains any ‘common’ base words.
Following the NVIDIA breach, SpecOps analyzed the top ten basewords in NVIDIA employees’ breached passwords, and found they included:
- nvidia
- nvidia3d
- mynvidia3d
- nvda
Hackers are quick to learn these trends and would be likely to target employer-related words in future attacks.
- Do away with regular password change requirements.
Frequent password changes may be a driving force behind your team adopting easier-to-guess passwords. Instead of requiring your team to regularly change their password, the National Institute for Standards and Technology (NIST) now suggests changing passwords if they’re exposed in a breach, if the password doesn’t meet complexity or length requirements, or if the password (or one like it) is used elsewhere.
- Require Multi-Factor Authentication (MFA), Wherever Possible.
Relying on passwords alone is a risk. The sophistication and frequency of password breaches is likely to continue to grow into the future. So, given the ever-present risk of your team’s passwords being breached, MFA is a crucial backup.
- Educate Your Team So They Don’t Re-Use Organizational Passwords Elsewhere.
As we’ve mentioned, re-using passwords for multiple accounts is a relatively common practice. You should educate your team on the dangers of this practice and implement a policy that bans the use of organizational passwords for other purposes, including personal accounts.
If you need assistance with your company’s privacy practices, reach out. Our attorneys would love to help.
Disclaimer
The materials available at this website are for informational purposes only and not for the purpose of providing legal advice. You should contact your attorney to obtain advice with respect to any particular issue or problem. Use of and access to this website or any of the e-mail links contained within the site do not create an attorney-client relationship between CGL and the user or browser. The opinions expressed at or through this site are the opinions of the individual author and may not reflect the opinions of the firm or any individual attorney.
