Corporate passwords continue to be cracked at an alarming rate, and many companies still use the most easily hackable strings imaginable.
In his annual Weak password report (opens in a new tab)Password management company Specops Software analyzed more than 800 million compromised passwords and concluded that they are “still the weakest link in an organization’s network.”
Not surprisingly, 88% of those that were cracked consisted of 12 characters or less, with the most common phrases being “password”, “admin”, “welcome” and “p@ssw0rd”. Almost 20% also contained only lowercase letters.
Not strong enough
Perhaps more surprisingly, even passwords considered strong by standards such as NIST and PCI accounted for 83% of those cracked.
“This shows that while organizations are making concerted efforts to adhere to password best practices and industry standards, more needs to be done to ensure that passwords are strong and unique,” noted Darren James, Specops product manager.
“With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data,” he added.
Brute force attacks were common among cybercriminals, taking common and compromised passwords and using them in conjunction with company email, until they finally gained access to the company account.
The report even showed that old passwords, such as the one leaked in the 2016 MySpace hack, were still successfully used by hackers.
He also mentions the Nvidia breach in April 2022, when many employees secured their accounts with weak passwords such as “Nvidia”, “qwerty” and “nvidia3d”, showing that even large and well-known companies are guilty of poor password practices .
To address this issue, James recommends that companies first protect “Active Directory, a universal authentication solution for Windows domain networks.” Then use third-party software such as password managers and password generators to create and ensure the use of strong and unique passwords.