New cybersecurity threats are continuously emerging in light of our increasingly connected world, AI, 5G, and other enterprise trends. In this ever-changing landscape, there is one constant: passwords remain the primary authentication method for accessing corporate systems and applications—and employees are notorious for utilizing pwned passwords.
The use of pwned passwords, or passwords that have been previously exposed in data breaches, significantly increases security vulnerability as cybercriminals can easily access compromised credentials via the Dark Web and utilize this information to infiltrate corporate accounts. This problem is compounded by password reuse, another prevalent example of poor employee security hygiene.
91% of respondents in a recent survey acknowledge that reusing passwords across multiple work and personal related accounts introduces significant security vulnerabilities. Yet 59% admit to doing it anyway. They are ambivalent about the risk of pwned passwords.
The 2012 Dropbox breach, in which hackers obtained encrypted passwords for more than 68 million accounts, is an example of how devastating the effects of password reuse can be. As Dropbox put it in a blog post, “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.”
The long-awaited Disney+ launch also exposed the risks with password reuse. An investigation found that less than 48 hours after launch, thousands of exposed Disney+ passwords and accounts were already for sale. Bad actors were able to access Disney+ accounts because so many of its users recycled passwords from their accounts on other sites, on their Disney+ account.
With new breach data coming to light on a daily basis, guarding against the use of pwned passwords requires constant vigilance.
As Enzoic’s CEO, Michael Greene, stated in a Channel Futures article, “I recently spoke with a company that discovered that 4% of its uncompromised credentials become compromised within one month and this happened month over month.”
So, what should organizations do to eradicate the use of pwned passwords?
- Educate employees: Making password best practices a part of employee onboarding and ongoing training initiatives can help instill better security hygiene and discourage the use of weak passwords, password reuse, and password sharing.
- Adopt additional authentication measures: Two-factor authentication (2FA), adaptive authentication and biometrics are examples of additional authentication methods—check out our recent post on the benefits and drawbacks of these technologies here.
- Check for pwned passwords: NIST password guidelines recommend that organizations should verify that passwords are not compromised before they are activated, and also monitor them on an ongoing basis. For many organizations, automating this process is critical because of limited IT and security staffing.
The latter is the most crucial step companies can take in the fight against pwned passwords, as it essentially circumvents poor employee security practices.
To quote Michael Greene’s Channel Futures article again, “It’s unrealistic for companies to expect password reuse to change on its own, but it’s also untenable for them to continue to allow the use of exposed credentials.”
By continuously screening all corporate passwords against our proprietary database of exposed credentials, Enzoic helps companies ensure pwned passwords remain where they belong—on Dark Web lists but never in use for enterprise systems and applications.