top of page

[New research] Do longer passwords protect you from compromise?

New Research: Evaluating the Efficacy of Longer Passwords in Protecting Against Compromise
Insights from the Specops Breached Password Protection Database with Over 4 Billion Unique Compromised Passwords

The Specops Breached Password Protection Database Now Tops Over 4 Billion Unique Compromised Passwords

We’re sharing some new findings from the Specops research team about password length and how it can still be circumvented by attackers. These findings coincide with the latest addition of 10.2 million passwords to the Specops Breached Password Protection service, which now tops over 4 billion unique compromised passwords.

According to Verizon, 86% of initial attack access is gained through stolen credentials. One way to strengthen the passwords within an organization is to make them longer, which means they’re harder to guess and crack through brute force and hybrid dictionary attacks. But increased length doesn’t protect from other risks, such as phishing and password reuse.

“Longer passwords are better,” said Darren James, Senior Product Manager at Specops Software. “And I don’t think that’s news to most IT teams. However, it’s important to understand that equipping users with strong, lengthy passwords isn’t a foolproof way to avoid compromised credentials. Attackers can still find workarounds – and user behavior can undo a good password policy.”


We wanted to know the most common length of a compromised password, and how many longer passwords were being breached. To find out, the Specops research team analyzed the lengths of over 800 million compromised passwords (a subset of our larger Breached Password Protection list of over 4 billion unique compromised passwords). For the purpose of this research, we considered a password over 12 characters to be long.

Compromised password lengths: The results

In descending order, these are the eight most common lengths for compromised passwords. As expected, 8 characters (212.5 million total compromised passwords were 8 characters exactly) is at the top – likely because it is the default password length in Active Directory. You can also see that as character length increases, the total amount of compromised passwords decrease. However, this doesn’t mean we’re talking small numbers.

  1. 8

  2. 10

  3. 9

  4. 11

  5. 12

  6. 13

  7. 14

  8. 15

The below table shows how many compromised passwords we found above five given lengths. If we’re counting 12 and over as a ‘longer password’ then 121.5 million compromised passwords were found to be long. As you can see, the number of compromised passwords does decrease as character length increases, but there are still 31.1 million compromised passwords over 16 characters in length.

This shows that having longer passwords doesn’t protect you from attacks. Even if the total numbers are smaller compared to 8-character passwords, these numbers still represent tens of millions of opportunities for attackers to breach organizations using longer passwords.

Password Character Length in Compromised Passwords
Analyzing Password Character Length in Compromised Passwords: A Cybersecurity Perspective

Real compromised passwords

Below are the three most common compromised passwords for each of the character lengths we analyzed between 8-15. There are some interesting things to dig into, especially at either end of the table. It comes as no surprise to see ‘password’ as the most commonly compromised 8-character password.

Most commonly compromised passwords by character length
Analyzing Password Compromises by Character Length: Uncovering the Most Common Vulnerabilities

The phrase ‘new hire’ appears in the second and third most commonly compromised 15-character passwords, highlighting that IT admins should avoid predictable, repeatable password patterns when onboarding new users. It could also suggest these new users were not forced to change their password and had been using the default ones given to them by IT for some time.

Should we still create longer passwords?

In short, yes. Our data shows that on average, 85% of compromised passwords are under 12 characters in length. As shown in the table below, it’s much harder to crack a longer password. However, as the second table highlights, increasing password length on its own shouldn’t give organizations a false sense of security, as this is only part of the password security battle.

Time to Crack: MD5 Hashed Passwords
Time to Crack: Analyzing the Security of MD5 Hashed Passwords

Time to Crack: Known Compromised Passwords
Time to Crack: Assessing the Vulnerabilities of Known Compromised Passwords

It’s important to remember that long passwords can still be compromised through phishing and other forms of social engineering. The bigger risk though is attackers getting their hands on a database of passwords from a less secure website or SaaS application. For example, say a hacker gets into an online store and gets their hands on a whole database of passwords. Even if the passwords are hashed, the attacker has all the time in the word to try and crack them, and then figure out who those people are and where they work. If any of those passwords have been reused at work, it’s an easy route into the employee’s organization.

This is why password reuse can be a major Achille’s heel of what could be an otherwise strong password policy. An organization might enforce end users to use longer, strong passwords at work, but there’s nothing stopping people reusing those passwords on personal applications and devices with weak security or on unsecure networks.

Thanks to the explosion in SaaS, the average knowledge worker has to remember passwords for more than 25 sites or apps. LastPass data shows more than 60% of knowledge workers use the same passwords or slight variations – with Bitwarden estimating this to be even higher at 84%. Organizations who have gone down the ‘never expire’ route are even more at risk of passwords becoming compromised without their knowledge.

This means organizations need an added layer of security on top of having a strong password policy – they need a way of checking whether any of their existing passwords have become compromised. However, most solutions, including Azure AD (Entra ID), only do this at a password change or reset event, which could mean a long time to wait before discovering a compromise.

How do we mitigate password reuse and compromised credentials?

Download our free tool Specops Password Auditor for a quick health check of your Active Directory against a condensed list of over 950 million compromised passwords – including those discussed in this article and 4.4 million added today. It’ll give you a read-only scan and report on how many of your passwords are weak or have already been compromised.

Auditing offers is a valuable first step for finding out your password-related vulnerabilities, but true protection comes from automated and ongoing checking and remediation. With Specops Password Policy and Breached Password Protection, your Active Directory will be scanned against a list of over 4 billion unique compromised passwords – including ones being used in attacks on honeypot accounts today. Our research team’s attack monitoring data collection systems update the API daily, ensuring you stay protected against newly discovered compromised passwords.

Daily scans paired with smarter and more comprehensive compromised password data

Specops Password Policy with Breached Password Protection can now offer even more protection for your organization against the constant threat of attack. Our new continuous scan feature checks all Active Directory passwords against the Breached Password Protection API once a day for any compromises, unlike other solutions on the market where checks are only made during resets or expirations.

The Breached Password Protection service:

  • Protects against the use of more than 4 billion unique known compromised passwords

  • Includes password data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks

  • Updated daily with newly discovered passwords

The daily update of the Breached Password Protection API, paired with continuous scans for the use of those passwords in your network, equals a much more comprehensive defense against the threat of password attack and the risk of password reuse. Any breached passwords are blocked in Active Directory and end users found to be using them are notified with a customizable SMS or email, so there won’t be any added Service Desk burden.

Interested in seeing how this might work for your organization? Have questions on how you could adapt this for your needs? Contact us or see how it works with a demo or free trial.

Author: Specops Software

Sep 26, 2023(Last updated on September 26, 2023)


bottom of page