Passwords pose a problem—perhaps now more than ever before—for both individuals and for the businesses they interact with or are employed by. A sweeping 2018 study of nearly 30 million users and 61.5 million passwords highlights some serious password shortcomings. The results should prompt all organizations to think more carefully about proper password education and requirements.
The Problem
It doesn't take an elaborate study to uncover the problem with passwords. They're a pain to remember, period! The average person typically has dozens of different password-protected accounts, and what's more, we're being asked to make them increasingly complex (for our own good, of course, but it doesn't make life any easier).
Yet leaked passwords from data breaches remain a major cybersecurity risk. For example, when an Equifax, Yahoo, or Ashley Madison is breached, attackers may make publicly available sensitive information such as user passwords. Obviously, this represents a risk in terms of what information may be gained from the breached account.
There's an additional risk from the same attackers or others using the same or slightly modified passwords to compromise accounts at other services. This can ultimately lead to another data breach at additional online services. It's a slippery slope.
Consider, for instance, the December 2017 news of a database containing 1.4 billion plain text passwords on the dark web. While this list was downplayed by some as nothing more than a consolidation of well-known data breach information, others pointed out that this access to compromised account information made it easier for bad actors and hackers to put other accounts and organizations at risk.
The Study
Attempting to gauge the full scale of the problem, members of Virginia Tech's Computer Science department examined a dataset of 28.8 million users and their 61.5 million passwords in 107 services over 8 years. The findings, published by the Association of Computing Machinery this month, are unnerving:
- 52% of users reused or only slightly modified passwords
- 38% of the 28.8 million users had used the same password for two different services
- Shopping and email sites, among the more sensitive online services, "received the most reused and modified passwords." Shopping had the highest ratio (> 85%) with email in second place (> 62%)
- Users would still reuse already-leaked passwords for years after a data breach. More than 70% continued to use the same password a year after the leak!
Still, the most shocking study finding was that it would take less than 10 guesses to crack more than 16 million password pairs. Even modified passwords, which are typically more complex, could be guessed 30% of the time within 10 attempts (and 46.5% of the time within 100 attempts). The authors concluded, "password modification patterns are highly consistent across various user populations, allowing attackers to quickly guess a large number of passwords with minimal training."
The Solution
We've said it before but can never say it enough — educate your network users and employees about the risk. This might be a companywide initiative to encourage greater security awareness among consumers of your online services. Plus, employee education is essential. With less than half of companies requiring cybersecurity training, it's not that surprising that many data breaches are the result of employee error or negligence (not to mention ill intent).
Here are some key points to hit when talking to your people about passwords. Especially for remote workers, that work from home.
Keep up to date. When asked to update a password — do it. Warn them against opting out because they don't want to have to remember a new combination of words or letters. Maybe you can suggest they think about learning the new password as a brain teaser that will help offset adult dementia.
81% of 2017 hacking-related breaches involved stolen or weak credentials.
Individualize passwords. Encouraging your employees to stop reusing passwords, or slightly modified passwords, across several sites can help prevent data breaches. Explaining that the cyberattacker may use big data and algorithms to crack passwords based on breached credentials may help them to see the importance of taking this preventative measure.
9 out of 10 login attempts on many web and mobile applications are made by cybercriminals using automation to rapidly test millions of credentials.
Use secure devices and networks only. No matter how complex and individualized the password, if the individual is entering his credentials on a public access network it's a risk. Someone may think she is being proactive by checking her work email while in line for coffee and using the cafe's free wifi, but it's surprisingly easy for someone to steal usernames and passwords for people on a shared network.
Don't be dumb. You may want to phrase it differently, but it's truly shocking how many people continue to use "123456" or "password" as their passwords. Even "Letmein" was no. 11 on a 2016 list of the most common passwords. Along the same "don't be stupid" lines, discourage employees from writing their passwords down on post-it notes that they leave on their desks (or, maybe if feeling particularly conscientious, in their top desk drawer).
Tip: Use account lockout, allowing users a set number of login attempts only, and protective monitoring to identify possible brute-force attacks.
RedTeam helps businesses identify vulnerabilities in networks, applications and infrastructure and can help you outline a path to making security a priority within your organization. We highly recommend bootcamp training for all employees to address the need for:
- Awareness of potential threats
- Protecting against inadvertent errors
- Guarding personal information
- Showing caution on social media
- Keeping software and security patches up-to-date
- Responding quickly to incidents
Schedule a consultation with our team today and get started down the path toward a stronger security posture. Or, click below and we'll get to work on a proposal for you immediately.
10-Point Offensive Security Checklist
Download Free Resource Download Free Resource