informa
1 min read
article

Strong Password Policy Isn't Enough, Study Shows

New analysis reveals basic regulatory password requirements fall far short of providing protection from compromise.

A new look at a database of more than 800 million known-breached passwords reveals that 83% of them met basic security standards set by five different standards agencies. 

Minimum password lengths prescribed by NIST, HITRUST for HIPPS, PCI, ICO for GDPR, and Cyber Essentials for NCSC ranged from seven to 10 and included requirements for password complexity, special characters, and numbers — but none were enough to keep compliant passwords off the breached list, according to a new report from Specops Software. 

"What this data really tells us is that there is a very good reason why some regulatory recommendations now include a compromised password check," said Darren James, product specialist at Specops Software, in a statement about the new password policy research. "Complexity and other rules might help but the most compliant password in the world doesn’t do anything to protect your network if it's on a hacker's compromised password list."