Password danger is escalating with no ceiling in sight!
Password problems will still plague every organisation
Password problems will still plague every organisation
The struggle to get users to make good, strong, unique passwords and keep them secret is real for all organisations and IT professionals. It can be hard to demonstrate to users just how dangerous their bad password can be to the entire company, even though an estimated 60% of data breaches involved the improper use of credentials in 2020. There’s no rhyme or reason to why employees create and handle passwords unsafely, no profile that IT teams can quickly look at to determine that someone might be an accidental credential compromise risk. Employees of every stripe are unfortunately drawn to making awful passwords and playing fast and loose with them – and that weakness doesn’t look like it’s going away anytime soon.
The average adult has an estimated 100 passwords floating around that they’re using. That’s a bewildering tangle of passwords to manage. The global pandemic helped put even more passwords into circulation as people either working from home or on furlough created an abundance of new online accounts. According to the conclusions of a global study conducted by Morning Consult for IBM, people worldwide created an average of 15 new online accounts, per person, during the main thrust of the pandemic.
Many of those logins were compromised from the start thanks to abundant dark web data. An estimated 15 billion unique logins are circulating on the dark web right now. In 2020 alone, security professionals had to contend with a 429% increase in the number of corporate login details with plaintext passwords exposed on the dark web. That dramatic increase in risk per user comes back to haunt businesses. The average organisation is now likely to have about 17 sets of login details available on the dark web for malicious actors to enjoy. That number is only going to continue to grow thanks to events like this year’s giant influx of fresh passwords from the RockYou 2021 leak.
Research by the UK’s National Cyber Security Centre (NCSC) shows that employees will choose memorability over security when making a password every time. Their analysts found that 15% of people have used their pet’s name as their password at some point, 14% have used the name of a family member,13% have used a significant date, such as a birthday or anniversary and another 6% have used information about their favourite sports team as their password. That makes the criminals jobs easy even if they’re trying to directly crack a single password. After all, those users have probably told them everything that they’d need to know to do the job in their social media profiles.
US companies aren’t any better off. In fact, their bad password problems are just a little bit worse. 59% of Americans use a person’s name or family birthday in their passwords, 33% include a pet’s name and 22% use their own name. We can’t chalk that blizzard of bad passwords up to ignorance of good password habits, because even employees who know better are slacking on password safety. Over 90% of participants in a password habits survey understood the risk of poor password hygiene, but 59% admitted to still engaging in unsafe password behaviours at work anyway.
Worse yet, employees are also sharing their passwords with other people at an alarming rate, even if the people they’re sharing a password with don’t work at the same company. Over 30% of respondents in a Microsoft study admitted that their organisation had experienced a cyber security incident as a result of compromised user credentials that had been shared with people outside their companies.
Based on analysis of the top 250 passwords found through the application of Dark Web ID’s dark web search function that uncovers exposed credentials, these categories of information were used to generate the weakest passwords in 2020 which were: Names, Sports, Food, Places, Animals and Famous People/Characters.
Names: maggie
Sports: baseball
Food: cookie
Places: Newyork
Animals: lemonfish
Famous People/Characters: Tigger
123456
password
12345678
12341234
1asdasdasdasd
Qwerty123
Password1
123456789
Qwerty1
:12345678secret
Abc123
111111
stratfor
lemonfish
sunshine
123123123
1234567890
Password123
123123
1234567
No industry is immune to the powerful lure of terrible password habits, especially that perpetual favourite password recycling and iteration. In a study of password proclivities, researchers determined that some sectors did have a little more trouble with passwords than others though. The telecommunications sector had the highest average number of leaked employee credentials at 552,601 per company. The media industry had the highest password reuse rates at 85%, followed by household products (82%), hotels, restaurants & leisure (80%), and healthcare (79%).
A trove of exposed data about Fortune 1000 companies on the dark web was uncovered by researchers earlier this year, including passwords for 25.9 million Fortune 1000 corporate user accounts. Digging deeper, they also unearthed an estimated 543 million employee credentials from Fortune 1000 companies circulating on commonly used underground hacking forums, a 29% increase from 2020. Altogether, they were able to determine that 25,927,476 passwords that belong to employees at Fortune 1000 companies are hanging out on the dark web. That’s an estimated 25,927 exposed passwords per Fortune 1000 company, marking a 12% increase in password leaks from 2020.
If data is a currency on the dark web, then credentials are solid gold. Credentials were the top type of information stolen in data breaches worldwide in 2020, (personal information took second place just over financial data in third), and bad actors didn’t hesitate to grab batches of credentials from all over the world. Cyber criminals snatched them up in about 60% of North American breaches, 90% of APAC region breaches and 70% of EMEA breaches. Researchers disclosed that the average company experiences 5.3 credential compromises that originate from a common source like phishing every year, a number that should give every IT professional chills.
An abundance of records on the dark web has spawned an abundance of passwords for cyber criminals to harvest, and that’s bad news. Giant password dumps on the dark web like the 100GB text file dubbed RockYou2021 have ratcheted up risk too. That giant dump of data is estimated to contain 8.4 billion passwords. Bad actors make use of that bounty quickly and effectively.
In the aftermath an enormous 2020 hack, ShinyHunters breached the security of ten companies in the Asian region and brought more than 73 million user records to market on the dark web. A group like ShinyHunters will of course try to profit by selling that stolen data at first, but when the data has aged or there are no interested buyers, cyber criminals will just offload it in the vast data dumps of the dark web making it available for anyone to sift through.
With our support we can discover if any of your employee’s reused passwords have been exposed on the dark web so that you can change them right away. Schedule a demo today!
What next?
Ask us to use our certified dark web monitoring tool to perform a non-invasive scan of your company’s domain and produce a pdf report that will highlight any compromised credentials.
Our customers aren’t guinea pigs. When we recommend a solution, you can be sure it’s been tried, tested and trusted. Our 28-year heritage comes with over 450 years of collective experience in a million-pound team of industry leading specialists, experienced in working with businesses just like yours. Whether your problem is small or large, we’re happy to help and have a range of managed service bundles to suit every budget.
Five tips to ensure your data is safe - in or out of the office.
Do you think you’re covered?
Cyber preparedness insights from a serving police superintendent
O365 and Antivirus can't cover it all
Counting the cost of cyber security
Now What?
on The Road to Cyber Resilience
How is 2022 going so far?
Considerations for the SME
Request your FREE scan today
Follow our handy checklist
“Does it really work?”
Complex topic explained
Guide for owner or employee
Phishing By Industry Report 2021: Benchmarking Report
What it is and how to deal with it
Cloud-based cybersecurity awareness training
A CTO’s view
What’s actually going on in your business?
Email communications the use of geoblocking
De-risking the human factor
Get smart with Passwords!
Productivity and security behind the scenes
Share this story
Secure your passwords today!
Save time, money and resource with our cost-effective managed cyber security platform; keep your users safe, protect your core infrastructure, enhance your security and mitigate risk against cyber crime.
Download the Brochure
Ashok Thomas, CEO of leading managed security company, Net Utils, talks candidly about the pro’s and con’s for SME’s thinking about taking a managed security service into their business
Download the eBookLet us know what you think about the article.
Let us know what you think about the article.
We're a community where IT security buyers can engage on their own terms.
We help you to better understand the security challenges associated with digital business and how to address them, so your company remains safe and secure.