The study conducted by a Swedish authentication specialist tends to show that compliance of passwords with the recommendations of cyber authorities remains insufficient to escape compromise.
The Swedish provider of password management and authentication solutions Specops Software has just published a study. This relates to the analysis of passwords which have been compromised and which, however, corresponded to the regulatory standards of the National Agency for the Security of Information Systems (ANSSI) and its European counterparts. Nearly 53% of them complied with the recommendations.
Compliance recommendations are not always enough
” Complexity and recommendations from official organizations can help strengthen your password “, recognizes the cyber specialist of Specops Software, Darren James. However, he tempers this theoretical assertion by stating that “ it won’t protect your network if it’s on a hacker’s list of compromised passwords. »
To avoid the risk of password compromise and hacking, ANSSI provides several specific recommendations. It is therefore strongly recommended to adopt a password:
- Which has at least 1 upper or lower case letter or number or symbol;
- Which does not contain any consecutive character (such as “123” or “abc”);
- Which does not present repetitive words (like “aaaa”);
- Which does not include keyword models (the famous “azerty” and others);
- Which states a minimum length of 9, 12 and 15 characters for the three levels.
Another recommendation is to compare your password, at the time you are creating it, with a list of common or known to be compromised passwords.
Hackers master password codes between compliance and ease
Of the 800 million compromised passwords analyzed by Specops, 52.95% exactly met the various recommendations that we have just listed. And yet, many of them end up on a hacker’s compromised password lists. Over time, hackers have in fact compiled a list of more than 2 billion compromised passwords which comply well with the recommendations of the various cyber authorities in the world, but which are not very original and are found on the list of the worst passwords. more common. Let’s take a few examples.
The most banal of the illustrations remains the password “password1”, which follows all the recommendations or almost: a number in addition to the letters, no consecutive character, a minimum length. But writing “password” followed by a “1” for a password is neither secure nor original. This example is deliberately crude.
But let’s extend it to passwords that follow almost all, if not all, of the authorities’ recommendations:
- yuantuo2012
- 1q2w3e4r5t
- startfinding
- 111222tianya
- malcolm01
- magvai87magvai87
- 21pink657
All these passwords, if they seem unoriginal to you, nevertheless conform to almost all the recommendations. Admittedly, insiders have acquired the right reflexes, using password managers, passphrases or passwords that depend only on chance, and not on what the hacker knows or can guess. Nevertheless, a large part of the general public still needs to be convinced of the benefits of making what remains the most widely used means of authentication more complex.
Like every year, Password Day aims to raise awareness among Internet users of the importance of choosing the right passwords and protecting their accounts. Since the creation of the event by Intel in 2013, practices in this area have changed: democratization of dedicated managers, multi-factor authentication… However, challenges still remain. A brief overview of the issues concerning authentication in 2022 and the solutions available.
Read more
Source: Specops press release
27