Redazione RHC : 16 July 2025 17:39
In a new analysis based on 10 million compromised passwords, Specops has demonstrated how vulnerable corporate networks remain to human error. All passwords were extracted from a list of over a billion leaks. The results were alarming: only 1.5% of all analyzed passwords could be classified as “strong.”
The criteria for this definition were strict: a password was considered strong if it was 15 characters long and contained at least two different types of characters, such as letters and numbers. This length was chosen for a reason: each additional character increases the number of possible combinations many times over.
For example, a password of 15 lowercase letters has 1.7 quintillion possible combinations. Adding one character increases the number of combinations by almost 26 times, and using all valid characters (letters, numbers, and special characters), the total number of combinations reaches 2.25 octillion. Even computers with the most powerful GPUs will not be able to handle such a task in the near future.
Map Heat: Password Length vs. Password Complexity (Specops)
However, despite these perspectives, users continue to choose short and simple combinations. The most common password type is 8 characters with two character types (e.g., letters and numbers), which accounts for 7.9% of all passwords. This is followed by passwords of the same length, but even less reliable: only one character type, accounting for 7.6%. And passwords up to 8 characters long generally make up the vast majority and can be cracked in a matter of hours.
The analysis showed that only 3.3% of all passwords exceeded the 15-character limit. This suggests that password policies in organizations are unregulated or are being ignored. At the same time, increasing the length by even a few characters dramatically increases resistance to attacks: a four-character extension of a 12-character password increases the effort required for a brute-force attack by 78 million times.
The study pays particular attention to the trend toward insufficient complexity. More than half of all analyzed passwords included a maximum of two character types. And although modern recommendations (particularly those from NIST) focus more on length, adding a third or fourth character type significantly increases security. However, length remains the primary factor: 16-20 characters offer better protection than short, albeit complex, passwords.
To increase security, it is recommended to switch from traditional passwords to meaningful phrases. Long but easy-to-remember phrases like “SunsetCoffeeMaroonReview” are much more reliable and practical than character sets like “!x9#A7b!”. This approach reduces the number of typos, technical support requests, and the hassle of constantly changing passwords.
The main threats associated with weak passwords remain the same.
At the same time, even a good hashing implementation doesn’t protect against the weakness of the password itself: if the database is stolen and the password is easily brute-forced, neither salt nor algorithms will help.
The study’s findings point to a simple truth: Weak passwords are still ubiquitous. Only a comprehensive policy that includes controls for length, complexity, uniqueness, and timely updates can protect corporate infrastructure from the most common attacks. And, as statistics show, most companies still have a lot of work to do in this area.
Redazione