Skip to main content

Weak password report reveals password reuse problem

Specops, and Outpost24 company
Bruteforce and stolen credentials are prime reasons for a data breach. New data recently released shows that setting strong passwords might not be enough in an increasingly volatile cybersecurity landscape. Find out why you need to prioritize user password security.
weak password report

Password-related attacks are on the rise. Stolen user credentials including name, email and password were the most common root cause of breaches in 2021 with several high-profile and disruptive attacks over the last two years on SolarWinds, Colonial Pipeline, and others made possible by hackers stealing a single password.

In the first annual Weak Password Report, our sister company Specops analyzed 800 million breached passwords, a subset of the more than 2 billion breached passwords in Specops Breached Password Protection, in order to identify current password security trends. Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organization’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.


The report findings show that the issue is not as simple as users resorting to easy-to-remember logins like “password12345.” In fact, even passwords following typical guidelines on length and special characters remain vulnerable to attacks.


Key findings include:

  • 93% of the passwords used in brute force attacks include 8 or more characters
  • 41% of passwords used in real attacks are 12 characters or longer
  • 68% of passwords used in real attacks include at least two character types
  • 48% of organizations do not have user verification in place for calls to the IT service desks
  • 54% of organizations do not have a tool to manage work passwords


“Passwords are still the key to protecting our most private information, from email accounts to online banking, but these findings indicate that simply following password best practices is not enough to guard accounts,” said Darren James, Head of Internal IT, Specops Software. “With some of the most high-profile cybersecurity incidents of the last two years involving passwords, it’s imperative that organizations implement password policies to block weak or breached passwords and utilize additional authentication methods to ensure the security of sensitive business data and accounts.”


Password security needs to be better prioritized from the leadership level at enterprises to individuals working at home. It’s critical for businesses to take action by blocking weak and compromised passwords, enforcing password length requirements, implementing user verification at the service desk, and auditing the enterprise environment to highlight password-related vulnerabilities.

For additional data and security tips, visit or download the report here.


The research in this report has been compiled through proprietary surveys and data analysis of 800 million breached passwords, a subset of the more than 2 billion breached passwords within Specops Breached Password Protection list

Looking for anything in particular?

Type your search word here