New Specops Report Reveals Passwords Are Weakest Link For Networks

Organizations’ current password usage and policies leaving businesses and employees vulnerable to cyberattacks

Stockholm, March 8, 2022 — Password-related attacks are on the rise. Stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks over the last two years on SolarWinds, Colonial Pipeline, and others made possible by hackers stealing a single password.  New data released today by Specops Software—the leading provider of password management and authentication solutions – shows that setting strong passwords might not be enough in an increasingly volatile cybersecurity landscape.    

In its first annual Weak Password Report, Specops analyzed 800 million breached passwords, a subset of the more than 4 billion breached passwords in Specops Breached Password Protection, in order to identify current password security trends. Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organization’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.

Findings show that the issue is not as simple as users resorting to easy-to-remember logins like “password12345.” In fact, even passwords following typical guidelines on length and special characters remain vulnerable to attacks.

Key findings include:

  • 93% of the passwords used in brute force attacks include 8 or more characters
  • 41% of passwords used in real attacks are 12 characters or longer
  • 68% of passwords used in real attacks include at least two character types
  • 48% of organizations do not have user verification in place for calls to the IT service desks
  • 54% of organizations do not have a tool to manage work passwords

“Passwords are still the key to protecting our most private information, from email accounts to online banking, but these findings indicate that simply following password best practices is not enough to guard accounts,” said Darren James, Head of Internal IT, Specops Software. “With some of the most high-profile cybersecurity incidents of the last two years involving passwords, it’s imperative that organizations implement password policies to block weak or breached passwords and utilize additional authentication methods to ensure the security of sensitive business data and accounts.”

Holistic password hygiene needs to be better prioritized from the leadership level to individuals working at home. It’s critical for businesses to take action by blocking weak and compromised passwords, enforcing password length requirements, implementing user verification at the service desk, and auditing the enterprise environment to highlight password-related vulnerabilities.

For additional data and security tips, visit or download the report here.

Report Methodology

The research in this report has been compiled through proprietary surveys and data analysis of 800 million breached passwords, a subset of the more than 4 billion breached passwords within Specops Breached Password Protection list.

About Specops Software 

Specops Software, an Outpost24 company, is the leading provider of password management and authentication solutions. Specops protects your business data by blocking weak passwords and securing user authentication. With a complete portfolio of solutions natively integrated with Active Directory, Specops ensures sensitive data is stored on-premises and in your control.  Every day thousands of organizations use Specops Software to protect business data.

(Last updated on April 20, 2022)

Back to Blog