Bad news - turns out even long passwords can be cracked easily

A traditional lock sitting on a computer keyboard
(Image credit: Towfiqu barbhuiya on Unsplash)

If you thought using a longer password is better for your security than a short one, then you may want to think again.

New research from Specops Software has found that even passwords 15 characters long make it into the top ten of the most common password lengths to be compromised (placing eighth). The most compromised length was eight characters, accounting for 212.5 million out four billion in the company's Breached Password Protection Database.

Specops surmises that this is the most common since eight characters is the default length for Active Directory passwords. As expected, as the character length increases, the share of compromised passwords decreases.

Time to crack

This led Darren James, Senior Product Manager at Specops Software, to conclude, "longer passwords are better... however, it’s important to understand that equipping users with strong, lengthy passwords isn’t a foolproof way to avoid compromised credentials."

He added, "attackers can still find workarounds – and user behavior can undo a good password policy."

When it comes to the actual content of the passwords themselves, it is again not much of a surprise that topping the list for eight character phrases is "password". For 15 characters, the phrase 'Sym_newhire' appears as the second and third most commonly compromised passwords - "Sym_newhireOEIE" and "Sym_newhireOAIE".

It is essential for business to have strong passwords, as Specops also cites figures from Verizon that claim that a massive 86% of all attacks begin by making use of stolen credentials. 

Increasing length can safeguard against brute force cracking. Specops calculates that to crack an eight character password, even those that contain numbers and both upper and lower case characters, can take a mere five minutes. On the other hand, a 15 character password can take up to 37 million years to crack.

However, the report warns that this "shouldn't give organizations a false sense of security, as this is only part of the password security battle." For instance, it won't matter if the credentials are stolen via phishing attacks.

Using one of the best business password manager solutions can help to secure your passwords further, as they often come with dark web monitoring features that notify users if any of stored credentials have been leaked in a known data breach.

Looking further ahead, though, the whole discussion may be academic, since passkeys, the new passwordless technology that is taking hold, mean there are no credentials that can be cracked or even phished. Some identity management solutions and business password managers are giving enterprise this capability already.


Lewis Maddison
Reviews Writer

Lewis Maddison is a Reviews Writer for TechRadar. He previously worked as a Staff Writer for our business section, TechRadar Pro, where he had experience with productivity-enhancing hardware, ranging from keyboards to standing desks. His area of expertise lies in computer peripherals and audio hardware, having spent over a decade exploring the murky depths of both PC building and music production. He also revels in picking up on the finest details and niggles that ultimately make a big difference to the user experience.