The research team at Specops Software, a company specializing in password management and authentication solutions, publishes the results of a study that focuses on the length of passwords and the methods used by attackers to compromise them.
“We wanted to know what the most common length of compromised passwords was and how many even longer passwords were cracked”, explains the company. More specifically, Specops Software aims to support the conclusion that “Providing users with complex, long passwords is not a foolproof way to avoid credential compromise”.
The investigation is therefore based on the analysis of 800 million violated passwords, taken from its database Password protection broken which lists 4 billion. Here’s what to take away from the study.
A password consisting of multiple characters is not necessarily infallible…
The first observation of the study will not surprise anyone: passwords consisting of 8 characters are the most frequently violated. A password consisting of a greater number of characters will therefore be more complex to decipher:“as character length increases, the total number of compromised passwords decreases”. This conclusion is consistent with that of a recent report from Hive Systems.
However, it should be emphasized that length is not a guarantee. In fact, of the sample studied, 121.5 million hacked passwords are considered by Specops Software to be sufficiently long, i.e. composed of 12 characters. Worse still: 31.1 million hacked passwords contain more than 16 characters, proving that opting for “longer passwords don’t protect you from attacks”. They are particularly vulnerable to brute force attacks, which involve asking a computer program to test every possible combination one after the other. Like the hybrid dictionary attack, this method can easily detect predictable and repetitive patterns often applied by IT administrators.
…but remains more reliable and difficult to crack
While the Specops Software research team mitigates the importance of length, arguing that it can confer “a false sense of security”, however, recommends opting for passwords made up of a variety of characters, numbers or symbols. For example, it takes 3 million years to crack a 13-character password made up of numbers, uppercase letters, lowercase letters, and symbols (see the featured image). And this, even if” Long passwords can still be compromised by phishing and other forms of social engineering,” remember Specops Software. Regarding passwords used multiple times, the observation is clear, as shown in the table below.
