2016 brought massive password dumps, resulting from the highly publicized Yahoo and LinkedIn breaches that exposed millions of users’ passwords to the public and for sale on the dark web. Research has revealed that about 35% of the leaked LinkedIn passwords were already known from previous password dictionaries, making them vulnerable to other accounts.
Researchers at behavioral firewall company Preempt took a look at the LinkedIn credentials and also found that 65% of the leaked passwords can be easily cracked with brute force using standard off-the-shelf cracking hardware.
The study also looked at general password intelligence and found that password rules, which many enterprises employ, can allow users to create weak passwords that can easily be cracked—and many individuals use the same password for multiple accounts, signaling a password epidemic amongst organizations and their users.
“One thing is certain, any person that used the same password for Linkedin as they did for their work account (or other account), is currently vulnerable within these other accounts,” said Preempt researcher Eran Cohen, in a blog. “Unfortunately, there are many users that don’t make that connection. Their LinkedIn account was breached, so they just change their LinkedIn password, not realizing that if they are using that same password elsewhere, they are actually exposed in all of those places as well. For IT security teams, this is an unknown vulnerability they have to deal with.”
Overall, the examination showed that low-complexity passwords can be cracked in less than a day, medium-complexity passwords are cracked in less than a week and high-complexity password are cracked in less than a month.
“Users reuse passwords. They rotate them. Add a digit to them. And even use identical or share passwords with others,” said Cohen. “As data scientists, it is our job to go deeper, and identify the common human behavior. For example, we’ve seen how local culture impacts passwords, where local football team names are commonly used as passwords. The problem is that only about 1% of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken.”
To stay safe, companies should use a password policy to enforce complexity and password expiration; require longer passwords (8 bad, 10 ok, 12 good); implement a context-based solution to train and enforce password policy based on users' activity; add additional factors to authenticate users; and educate people to avoid sharing passwords with other employees and cloud services. They should also avoid the use of simple patterns, personal data or common words; and employees shouldn’t repeat passwords when a password expires (enumeration included).