Bad news - turns out even long passwords can be cracked easily

A traditional lock sitting on a computer keyboard
(Image credit: Towfiqu barbhuiya on Unsplash)

If you thought using a longer password is better for your security than a short one, then you may want to think again.

New research from Specops Software has found that even passwords 15 characters long make it into the top ten of the most common password lengths to be compromised (placing eighth). The most compromised length was eight characters, accounting for 212.5 million out four billion in the company's Breached Password Protection Database.

Specops surmises that this is the most common since eight characters is the default length for Active Directory passwords. As expected, as the character length increases, the share of compromised passwords decreases.

Time to crack

This led Darren James, Senior Product Manager at Specops Software, to conclude, "longer passwords are better... however, it’s important to understand that equipping users with strong, lengthy passwords isn’t a foolproof way to avoid compromised credentials."

He added, "attackers can still find workarounds – and user behavior can undo a good password policy."

When it comes to the actual content of the passwords themselves, it is again not much of a surprise that topping the list for eight character phrases is "password". For 15 characters, the phrase 'Sym_newhire' appears as the second and third most commonly compromised passwords - "Sym_newhireOEIE" and "Sym_newhireOAIE".

It is essential for business to have strong passwords, as Specops also cites figures from Verizon that claim that a massive 86% of all attacks begin by making use of stolen credentials. 

Increasing length can safeguard against brute force cracking. Specops calculates that to crack an eight character password, even those that contain numbers and both upper and lower case characters, can take a mere five minutes. On the other hand, a 15 character password can take up to 37 million years to crack.

However, the report warns that this "shouldn't give organizations a false sense of security, as this is only part of the password security battle." For instance, it won't matter if the credentials are stolen via phishing attacks.

Using one of the best business password manager solutions can help to secure your passwords further, as they often come with dark web monitoring features that notify users if any of stored credentials have been leaked in a known data breach.

Looking further ahead, though, the whole discussion may be academic, since passkeys, the new passwordless technology that is taking hold, mean there are no credentials that can be cracked or even phished. Some identity management solutions and business password managers are giving enterprise this capability already.

MORE FROM TECHRADAR PRO

Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.

Read more
Cartoon Phishing
Over a billion credentials stolen were stolen in malware attacks in 2024
password manager
I'm a security expert - here are my biggest tips for creating a secure password for work and home life to stay safe online
Person using finger print authentication
Passwords out, passkeys in: The future of secure authentication
Hand holding smartphone and scan fingerprint biometric identity for unlock her mobile phone
Passwordless authentication continues to grow, with biometrics helping push adoption
Young woman working at a coffee shop with a laptop
Too many passwords, not enough brain space? Here’s how password managers can improve your life
A hand laying out a password
Security attacks on password managers have soared
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does