Why your password probably isn't good enough

Download the Weak Password report

It is unlikely any of us would intentionally choose a weak password. We typically choose something memorable, that fits the complexity requirements asked of us (when enforced), some of us even follow the National Cyber Security Centre’s Three Random Words advice. But, unfortunately, it isn’t alwaysenough to prevent your password from becoming compromised.  

The 2023 Weak Password report, created by password security experts Specops, which analysed over 800 million breached passwords, found that more than four in five (83%) compromised passwords satisfied the password length and requirements of regulatory password standards, while 88% were 12 characters or less. Of the four million passwords they analysed being used in live cyber attacks, the most common were eight characters and almost a fifth were made up of only lower case letters. 

Inevitably, the report also found that the most common base term found in passwords used to breach networks across multiple ports is “password”. Clearly, creating the strongest possible password continues to evade many of us.  

“Passwords are easy to attack because people use easy-to-guess passwords,” states the report. “These passwords are guessable because people reuse passwords and follow common patterns and themes. These passwords then end up on breached lists and can be attacked via brute force and password spraying.” 

Password spraying and brute force attacks occur when cyber criminals test out common passwords against a list of user names to try and gain access to their accounts. The report describes the tactic as cyber criminals “using a list of common, probable, or even breached passwords to systematically run them against a user’s email to gain access to a given account”.  

The tactic is highly impersonal and as a result, means no one is immune from the possibility of a cyber breach, especially not charities. Cyber criminals are not generally thinking about who they’re targeting, so much as what they can gain if they are successful. 

Protecting your passwords 

The report’s finding demonstrate that, no matter how long or random you believe your password is, it can still leave you vulnerable to cyber breaches. Fortunately, the report also offers advice on what charities can do to prevent the use of compromised passwords and how they can protect their passwords in future. 

The report notes that “Understanding common password patterns and user behaviors is the first step in securing passwords and the critical business data they protect.”  

It also recommends some key actions that organisations can take immediately, such as blocking weak and compromised passwords, enforcing password length requirements, and using digital tools, like its free Password Auditor, to identify password-related vulnerabilities. 

You can find out more by downloading the full report below.