SANS ISC Reports Surge in Calendar-Year Digits Within Passwords, Underscoring Credential Weaknesses
What Happened — The SANS Internet Storm Center published a follow‑up analysis showing that attackers continue to observe a high prevalence of numeric year patterns (e.g., “2023”, “1999”) in passwords harvested from honeypots. The study notes a measurable shift toward four‑digit year strings as users comply with frequent‑change policies. Why It Matters for TPRM —
- Predictable year‑based passwords increase the success rate of credential‑stuffing attacks against third‑party vendors.
- Organizations that enforce regular password rotation without accompanying complexity guidance may inadvertently amplify this risk.
Who Is Affected — All industries that rely on password‑based authentication for SaaS, cloud, and on‑premise services; especially MSPs, IAM providers, and enterprises with legacy password policies.
Recommended Actions —
- Review and tighten vendor password policies: enforce length, mixed‑character sets, and prohibit common year patterns.
- Deploy password‑less or multi‑factor authentication where feasible.
- Conduct periodic credential hygiene audits on third‑party access accounts.
Technical Notes — The analysis is based on passive collection from multiple honeypot deployments; no CVEs or direct exploits are cited. The data highlights a behavioral trend rather than a technical vulnerability. Source: SANS ISC Diary – Number Usage in Passwords: Take Two