"Strong Password Policy Isn't Enough, Study Shows"

Security researchers at Specops Software analyzed a database of more than 800 million known-breached passwords and found that 83% of the passwords met basic security standards set by five different standards agencies.  The researchers stated that minimum password lengths prescribed by NIST, HITRUST for HIPPS, PCI, ICO for GDPR, and Cyber Essentials for NCSC ranged from seven to 10 and included requirements for password complexity, special characters, and numbers.  None of the requirements were enough to keep compliant passwords off the breached list.  Darren James stated that what the data is showing is that there is an excellent reason why some regulatory recommendations now include a compromised password check.  Darren noted that complexity and other rules might help, but the most compliant password in the world doesn't do anything to protect your network if it's on a hacker's compromised password list.

Dark Reading reports: "Strong Password Policy Isn't Enough, Study Shows"