Following Regulatory Recommendations for Passwords Does Not Necessarily Improve Password Security

If you religiously follow regulatory standards for passwords you may think you have a good password policy, but it doesn’t mean that weak passwords are not being set by your employees. A recent study by Specops confirmed that simply following regulatory recommendations for setting passwords is not, by itself, enough.

For the study, the researchers conducted an analysis of more than 800 million passwords that are known to have been compromised and are in the public domain. They then assessed whether the passwords were compliant with 5 regulatory standards:

  • NIST
  • PCI
  • ICO for GDPR
  • Cyber Essentials for NCSC

They found that up to 83% of the passwords in their dataset of known compromised passwords satisfied regulatory requirements. For example, the recommendations for passwords of the Cyber Essentials scheme of the UK’s National Cyber Security Center are for passwords to have at least 8 characters, with no maximum password length, and for users to change their passwords promptly if they suspect a password has been compromised. 83% of the passwords in the list were compliant with NCSC recommendations.

The National Institute of Standards and Technology (NIST) has produced password guidance which many businesses follow. The recommendations include a minimum password length of 8 characters, preventing the use of repetitive or incremental passwords, and disallowing context-specific words as passwords. The Specops researchers point out that the following weak passwords would meet NIST recommendations and were also present in their dataset.

  • password1
  • qwertyuiop
  • 1q2w3e4r5t
  • iloveyou
  • myspace1

Importantly, there is one extra recommendation provided by NIST, which is now being included in several regulations that have password-related provisions and that is to perform a check of passwords against breached password lists. This recommendation is actually one of the most important best practices for password policies, as it doesn’t matter if all recommendations are followed and an incredibly complex password is set, if that password is in a hacker’s password list, it is weak and can be used to gain access to an account.

“Whether or not you are required to follow a regulatory standard that includes a compromised password check – this data makes clear that you should be implementing one anyway,” said Darren James, Product Specialist at Specops Software.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of