The Weak Password Report 2022

Feb 9, 2023 | Automation, Password Auditor, Password Policy, Privileged Access Management, Specops

THE WEAK PASSWORD REPORT 2022

 

Password attacks are on the rise because passwords themselves are very vulnerable to attack. What specifically makes them vulnerable? This year’s Weak Password Report takes a look at both the human side and the tech side of why passwords are the weakest link in an organization’s network.

From real world attack data to passwords inspired by pop culture, the 2022 Weak Password Report has insights into just how vulnerable passwords truly are.

The research in this report has been compiled through proprietary surveys and data analysis of 800 million breached passwords, a subset of the more than 2 billion breached passwords within Specops Breached Password Protection list. The data analysis looked at any password containing words within a particular theme. While it is impossible to say that using the word “angels” in a password is related to the baseball team in Los Angeles, the prevalence of words related to the themes demonstrates the problems of password reuse and compromised passwords.

The data in this report should bring awareness to this all-too common problem. The next step is to take action, which means blocking weak and compromised passwords, enforcing password length requirements, enforcing user verification at the service desk and auditing the enterprise environment to highlight password-related vulnerabilities.

Some highlights:

  • 93% of the passwords used in brute force attacks include 8 or more characters
  • 54% of organizations do not have a tool to manage work passwords
  • The Cincinnati Reds top the list of most popular baseball teams found in compromised password lists
  • 48% of organizations do not have user verification in place for calls to the IT service desk
  • 41% of passwords used in real attacks are 12 characters or longer
  • 42% of seasonal passwords contained the word “summer”
  • 68% of passwords used in real attacks include at least two character types