Conventional password wisdom says the longer the password, the better.
But that’s only partly true.
An unusual new finding from Specops Software is that even 15-character passwords are cracked fairly often: it’s the eighth-most common length of password to be compromised.
Here’s what this new research shows, what it means for you, and the steps you can take to keep your business safe.
The Findings
The company evaluated over 4 billion unique compromised passwords for the study, so it’s pretty safe to trust their findings.
Of those 4 billion cracked passwords, 67.7 million were 15 characters or longer.
Eight-character passwords are still the most commonly compromised (the company thinks that’s because Active Directory, an older but still active Microsoft product, defaults to eight-character passwords).
The Limits of the Findings
Before we get too far ahead of ourselves, it’s worth noting that these findings do have some significant limitations.
The list of most compromised lengths does proceed mostly in order, meaning the longer the password, the fewer show up as cracked in this database.
At first glance, this makes us feel good: maybe longer passwords are still getting hacked, but they’re safer than shorter ones…right?
Unfortunately, this research doesn’t tell us whether longer passwords are actually any safer: it could be that there are fewer in the database because there are fewer long passwords in use in the first place.
And whatever the case, 67.7 million is still a huge number!
Why Long Passwords Aren’t Enough
Long passwords aren’t enough because passwords themselves are just a weak way to secure stuff. The longer and harder to remember the password, the more likely the average user is to write it down somewhere. This could be in a notepad file on their computer desktop or a sticky note or notebook on their physical desktop. Either way, it doesn’t take much for someone to find and copy this kind of stored password.
Another problem is that people are still — yes, still — reusing passwords. At least they’ve upgraded from password123 to something a little longer and harder to guess. But the problem is just as big as ever.
If a bad guy breaches a database on something less secure (like your fantasy football credentials or the password to your cable bill account), they can’t do all that much damage.
But if the password they steal also unlocks everything you have access to at your bank or your business? That could get ugly, fast.
Remember: most cyberattacks start with something simple: stolen credentials.
What’s Better Than Longer Passwords?
So what’s even better than longer passwords?
A few things, actually.
1. Business password manager
First, consider investing in a business password manager that helps your employees create extremely long, unique passwords for every single account. Longer is better, and not reusing passwords helps a ton.
2. Two-factor or multifactor authentication (2FA or MFA)
Second, set up two-factor authentication or multifactor authentication for your business accounts. Doing this is kind of like setting a second (or third, or fourth) padlock on every account: that cracked password still unlocks one padlock, but without the key to the other padlocks (fingerprints, random codes, authenticator apps, and so forth, all of which are much harder to steal), the bad guys can’t get through.
3. Get ready for passkeys
Last, when passkeys arrive for the systems and tools you use most, start using them right away. Passkeys are easier for your people to use and exponentially more secure — a true win-win.
Have additional questions about password security or any of these newer security technologies? Give us a call — we’re happy to help!