Are Pwned Passwords Putting Your Business at Risk?

Cyber-threats are constantly evolving, but one vulnerability stays constant – employees. Employee negligence involving passwords is the cause of many data breaches. Here are some common bad password habits prevalent in many organizations today:

The use of default, weak or compromised passwords: Users are accumulating more and more passwords, and many of the recent breaches are the direct result of their compromise. The Verizon 2019 Data Breach Investigations Report found that 80% of hacking-related breaches leveraged weak and compromised passwords. Another worrying statistic was revealed in Google’s New Research: Lessons from Password Checkup in action: 316,000 of users were utilizing already compromised passwords.

Password sharing: According to this survey of 1507 American users, 34% of respondents said they share passwords or accounts with their coworkers. This means one third of American workers may be sharing passwords. The main reason for password sharing as cited in the survey is the ability to collaborate better. However, it opens the door to a host of problems. Not only do you lose sight of who has access to what systems, but also what each individual is doing with the information. Worse yet, users could still have access to systems using shared credentials after they have left the organization. To discourage password sharing, organizations should provide tools for employees to collaborate easily and safely.

Password reuse: Password reuse across multiple systems heightens this attack vector. If we take a look back at publicized breaches, it becomes evident that credential theft accompanied by passwords are often the culprit. For example, the 2012 Dropbox breach was caused by one careless employee that had used their LinkedIn password (that suffered a breach earlier in the year) for their corporate Dropbox account. This led to the theft of 60 million user credentials. With password reuse, it only takes one compromised password to lead to a company breach. This is why it is so important, now more than ever, to block the use of compromised passwords in business systems.

Password Best Practices

To protect your organization from various attacks, you must implement technical controls that will improve your employee’s poor password habits. Here are some best practices to consider:

Educate employees – what they don’t know CAN hurt them: Even the best technologies can’t protect your data if your employees continue to engage in insecure practices. To help employees practice safer password habits, schedule on-going training to educate employees on the latest security threats and what they could do to prevent security attacks. Security-conscious employees are better at recognizing threats and taking responsibility in defending threats. The training should be completed by all new employees, and followed-up with periodic training on an annual basis. Moreover, if your organization is bound to compliance standards, the training should be designed with those requirements in mind. The topics should help users identify potential threats, such as phishing, and social engineering, as well as the steps to take when something seems suspicious.

Move beyond a single point of vulnerability with MFA: Passwords on their own are fallible. NCSC recognizes the weaknesses of passwords and urges organizations to implement multi-factor authentication (MFA) for online services as well as IT administrator accounts. MFA is a combination of something you know (i.e. password) with an additional factor, such as something you have (i.e. mobile device), and something you are (i.e. fingerprint). MFA is effective in restricting access since obtaining additional factors creates a hurdle for hackers. Not only should organizations implement MFA for all systems, but they should incorporate it in the password reset process.

Use a password blacklist – don’t give them a chance to pick bad passwords: A password blacklist is a list of disallowed passwords consisting of common and compromised passwords. It improves security as it prevents hackers from exploiting weak passwords. Some people build password blacklists using leaked passwords from previous breaches, others simply use a password blacklisting service that is continuously updated. Password blacklists vary widely in size, anywhere from only a few dozen common passwords to billions of compromised passwords. The NCSC released a list of the 100,000 most common passwords in April 2019. It’s subjective to debate whether or not a blacklist of 100,000 is sufficient to defend against attacks. Ultimately, your organization will have to decide what number strikes the right balance between blocking common passwords and avoiding user frustration.

So How Bad is the Problem?

Now that we know passwords can put your organization at risk, it’s time to act. This free tool scans and finds accounts using weak and compromised passwords in your organization. The tool provides a full view of the administrator accounts in an organization’s domain. Available free reports include:

  • Accounts using compromised passwords
  • Accounts with expired passwords
  • Accounts with password expiration approaching
  • Accounts using identical passwords
  • Accounts not requiring passwords
  • Accounts without a minimum password length requirement
  • Stale/inactive admin accounts

More than 400 organizations used the tool and found shocking results. A few examples are listed below:

  • Healthcare: 25% of passwords were leaked in a public sector organization with 5000 employees
  • Manufacturing: 25% of passwords were leaked in a manufacturing company with 60,000 employees
  • IT service provider: 35% of passwords were leaked in an IT company with 150 employees

Want to find out how many of your employees are using pwned passwords? Click here for your free audit.

Brought to You by

What’s Hot on Infosecurity Magazine?