Bad news - turns out even long passwords can be cracked easily

A traditional lock sitting on a computer keyboard
(Image credit: Towfiqu barbhuiya on Unsplash)

If you thought using a longer password is better for your security than a short one, then you may want to think again.

New research from Specops Software has found that even passwords 15 characters long make it into the top ten of the most common password lengths to be compromised (placing eighth). The most compromised length was eight characters, accounting for 212.5 million out four billion in the company's Breached Password Protection Database.

Specops surmises that this is the most common since eight characters is the default length for Active Directory passwords. As expected, as the character length increases, the share of compromised passwords decreases.

Time to crack

This led Darren James, Senior Product Manager at Specops Software, to conclude, "longer passwords are better... however, it’s important to understand that equipping users with strong, lengthy passwords isn’t a foolproof way to avoid compromised credentials."

He added, "attackers can still find workarounds – and user behavior can undo a good password policy."

When it comes to the actual content of the passwords themselves, it is again not much of a surprise that topping the list for eight character phrases is "password". For 15 characters, the phrase 'Sym_newhire' appears as the second and third most commonly compromised passwords - "Sym_newhireOEIE" and "Sym_newhireOAIE".

It is essential for business to have strong passwords, as Specops also cites figures from Verizon that claim that a massive 86% of all attacks begin by making use of stolen credentials. 

Increasing length can safeguard against brute force cracking. Specops calculates that to crack an eight character password, even those that contain numbers and both upper and lower case characters, can take a mere five minutes. On the other hand, a 15 character password can take up to 37 million years to crack.

However, the report warns that this "shouldn't give organizations a false sense of security, as this is only part of the password security battle." For instance, it won't matter if the credentials are stolen via phishing attacks.

Using one of the best business password manager solutions can help to secure your passwords further, as they often come with dark web monitoring features that notify users if any of stored credentials have been leaked in a known data breach.

Looking further ahead, though, the whole discussion may be academic, since passkeys, the new passwordless technology that is taking hold, mean there are no credentials that can be cracked or even phished. Some identity management solutions and business password managers are giving enterprise this capability already.


Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.