Think your password is safe because it’s eight characters long and mixes in a number or two? According to new analysis from Specops, nearly 99% of breached passwords are so weak they could be cracked in minutes.
In case you thought a clever combo of your dog’s name and a “1234” at the end was airtight, think again. According to fresh research from Specops, 98.5% of real-world breached passwords are objectively weak. And yes, that might include yours.
The cybersecurity team at Specops analyzed 10 million real passwords pulled from a massive database of over a billion compromised credentials. The team then slapped those 10 million passwords onto a heatmap of length vs complexity.
Only 1.5% of all passwords even made it into the “strong” zone, defined as being at least 15 characters long and using two or more character types. Only 3.3% of passwords in the sample were longer than 15 characters. That means the vast majority of passwords out there could be cracked by a cheap GPU rig instantly.
The most common type of password among the breached pile was eight characters long and had just two character types, like “Summer22” or “Office99.”
About 8% of all passwords fell into this dangerously basic zone. Close behind were eight-character passwords with only one character type, for example, just lowercase. That’s another 7.6%.
Why are weak passwords a problem?
- They’re easy targets: Weak passwords are often the first entry point for attackers. Once inside, hackers can move through networks, elevate access, and extract sensitive data, often without triggering security alerts.
- Password reuse multiplies the risk: With most employees managing dozens of logins, reused passwords are common. A breach in one system can provide access to internal tools, databases, or even critical admin consoles.
- They violate regulations: Data protection laws like GDPR, HIPAA, and PCI DSS require secure authentication practices. Weak or reused passwords fall short of those standards, potentially leading to fines, audits, and legal consequences.
- Brute-force tools are faster than ever: Today’s hardware can attempt billions of guesses per second. What once took days can now be done in minutes, especially for passwords under 10 characters.
- Encryption doesn’t fix everything: Hashing and salting improve password security, but can’t make up for poor choices. A weak password remains easy to crack, even if it’s encrypted.
- Large-scale attacks are common: Hackers often use botnets to launch distributed attacks, bypassing security measures like rate limits. These methods allow for high-volume testing of passwords across services, increasing the chance of a successful breach.
Why is 15+ characters the new minimum?
Despite a decade of security awareness training, phishing warnings, and stories about Russian botnets, people and organizations are still allowing weak passwords into their systems.
“Many users still choose weak, easily guessed combinations that cybercriminals can crack in seconds,” said Darren James, Senior Product Manager at Specops.
With GPU-powered rigs and cloud cracking services, anything under 12 characters is low-hanging fruit for attackers that calculate password possibilities during the cracking process.
Adding more complexity, like symbols or mixed case, can boost entropy and slow down brute-force attacks. However, updated NIST guidelines now put the emphasis on length. It means that you’re far better off using 16 to 20 characters in the password than relying on special symbols or random uppercase letters.
15 characters or more, with at least two different character classes (letters, numbers, symbols), bumps up the number of possible combinations into trillions and beyond. These numbers make even high-end cracking farms start to sweat, pushing the expected crack time from hours into years or centuries.
To create strong passwords, you could use password generators and password managers to securely manage access to different platforms.
Your email address will not be published. Required fields are markedmarked