300Bn Passwords in 2020 = $6 Trillion in Damages

Account compromise continues to grow as top infosecurity issue: The total number of user and privileged accounts that will be at risk, including a combination of human and machine passwords, will surpass 300 billion passwords by 2020. 

That’s according to a report from Thycotic and Cybersecurity Ventures on password security, which found that the amount of cybercrime damages stemming from this could reach up to $6 trillion by 2021.

While there is clearly a margin of error for the forward predictions based on several variables—most notably the number of Internet of Things (IoT) devices—Cybersecurity Ventures and Thycotic believe that the password attack surface will inevitably grow by an order of magnitude over the next four years.

“Any IoT device that has an interface will have a password protecting the interface that allows it to be configured,” said Joseph Carson, a Thycotic cybersecurity expert. “Plus, any Bluetooth-capable device like wearables will use a PIN for a passcode.”

Based on a very conservative estimate of one password per machine, the report estimates 200 billion machine passwords will need to be secured by 2020. The other 100 billion in the forecast are attributable to more traditional human-run accounts.

In 2016 alone, more than 3 billion user credentials and passwords were stolen, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. Much of this stems from security fatigue—a phenomenon that includes users being tired of remembering user names, passwords and PIN numbers; frustration in navigating multiple security measures; and account lockouts due to incorrectly entered passwords. The study also found that users believe safeguarding data is someone else’s responsibility, and users questioned how they could effectively protect their data when large organizations frequently fall victim to cyber-attacks.

 “It is a very scary truth that everyone, especially those running businesses, should be aware of,” said Carson. “Our passwords are not safe, which is concerning as they are literally the key to some of the most important information that businesses hold.”

He added that privileged account passwords especially are prime targets for hackers, for good reasons.

“One privileged account password breach can allow a hacker to access and steal the credentials and passwords belonging to every employee in a company,” Carson explained.

As an example of the type of opportunities for passwords being compromised, the report shows that companies on the Fortune 500 list in 2015, employed a combined 27 million people—a number which has since grown. Thycotic experts estimate that these employees in 2020 will have an average of 90 accounts (combination of business and personal) requiring login IDs and passwords. That would put the total number of passwords belonging to Fortune 500 employees at 5.4 billion in 2020.

While employees have their own login credentials—there’s a proportionately small number of privileged users (typically IT and system administrators) who each have access to hundreds, and sometimes thousands, of login IDs and passwords. Approximately five percent of Fortune 500 employees are privileged users, putting the number of people with privileged account access at 1.35 million.

 “As the total universe of passwords will likely grow to 300 billion by 2020, organizations across the world face an enormously growing cybersecurity risk from hacked or compromised user and privileged accounts,” said Steve Morgan, editor-in-chief, Cybersecurity Ventures. “We felt it was extremely important to team up with an industry leader, such as Thycotic, to bring awareness to the tremendous vulnerability everyone is at risk for as the number of passwords continues to grow. This report will help to assist cyber defenders and educate the broader global community through a statistical analysis of the massive password expansion and associated challenges that lie ahead of us in the years to come.”

What’s Hot on Infosecurity Magazine?