eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.
There are currently billions of leaked records circulating the Dark Web. The most notable mega leak, known as Collection #1-5, includes 1.2 billion unique email addresses and password combinations, 773 million unique email addresses, and 21 million plaintext passwords. Mega leaks affect not only the breached organization, but all other ecosystems that share the same user base. The sheer size of them offer even an unskilled hacker a trial-and-error method into various sites and systems with ease.
The danger of breached passwords
Breached passwords fuel attacks that leverage stolen credentials to gain unauthorized access. such as credential stuffing. Credential stuffing describes a method when hackers use automated bots to stuff those credentials into various login pages across multiple sites to access accounts. Many tools that require no knowledge of programming skills are readily available online, encouraging anyone that is looking to make a quick buck to credential stuff.
Credential stuffing has a 1-3 percent success rate due to password reuse and infrequent changes of passwords. That is why even older credential lists still record relative success. LinkedIn‘s notable 2012 breach led to many secondary compromises even years to come, such as the Dropbox hack. A Dropbox employee reused a password compromised in the LinkedIn breach, allowing the hackers to gain unauthorize access to Dropbox’s corporate network.
Password reuse is a serious problem that plagues most organizations. According to this recent survey of 1353 respondents, 31% use the same password for streaming sites as they do for other ‘more sensitive’ accounts, such as online banking. It is likely that your own corporate network has users reusing these breached passwords from personal-use sites.
Not only can breached passwords lead to endless secondary breaches, it can also result in the following consequences, according to Ponemon Institute’s The Cost of Credential Stuffing Report:
- Application downtime from large spikes in login traffic
- Costs to remediate compromised accounts
- Lower customer satisfaction
- Fraud-related financial losses
- Lost business due to customers switching to competitors
- Damaged brand equity from news stories or social media
To put it in financial terms, the average cost of a breach caused by compromised credentials is $4.77 million – that is $1 million more than other forms of attack.
Top tips to keep breached passwords out
People will continue to use weak and breached passwords such as “123456,” “qwerty” or, “Giants,” and reuse them across corporate and personal websites. Credential attacks will plague organizations that don’t take basic steps to counter them. It is clear that we cannot rely on users to make wise password selections, it is time for IT departments to intervene. Here are a few tips to protect your organization against bad passwords.
Provide ongoing cybersecurity user training
Even the best technologies can’t protect your data if your employees continue to engage in insecure practices. To help employees practice safer password habits, schedule on-going training to educate employees on the latest security threats and what they could do to prevent security attacks. Security-conscious employees are better at recognizing threats and taking responsibility in defending threats. The training should be completed by all new employees, and followed-up with periodic training on an annual basis. Moreover, if your organization is bound to compliance standards, the training should be designed with those requirements in mind. The topics should help users identify potential threats, such as phishing, and social engineering, as well as the steps to take when something seems suspicious.
Audit user passwords regularly
Unfortunately, the built-in Active Directory policies don’t stop users from making poor password choices so it is best to regularly audit existing passwords to check for vulnerabilities. Specops Password Auditor (Free Tool) detects security weaknesses specifically related to password settings. By scanning your Active Directory, the tool collects and displays multiple interactive reports containing user and password policy information, such as accounts using passwords leaked from major breaches, accounts with expiring/expired passwords, stale admin accounts and more.
Block common and breached passwords
When a leak occurs, many other ecosystems become endangered due to the tendency of password reuse. Once a reused breached password is identified in your Active Directory, it is important to block them immediately. The Breached Password Protection service included in this Active Directory Password Filter checks your user passwords against a continuously updated list of over 2 billion leaked passwords and blocks any passwords found in the list. Some of the breaches included in the Breached Password Protection are:
- MySpace (359 million)
- LinkedIn (164 million)
- Dubsmash (162 million)
- MyFitnessPal (143 million)
- MyHeritage (92 million)
- Dropbox (68 million)
- ShareThis (41 million)
- HauteLook (28 million)
- Animoto (22 million)
- 500px (15 million)
- Whitepages (11 million)
- Armor Games (11 million)
- Fotolog (10 million)
- BookMate (3.8 million)
- Adult Friend Finder (3.8 million)
The tool also provides feedback to end-users as to why they can no longer use the password, making it easy for organizations keep out vulnerable passwords without sacrificing usability. Click here to request a 30-day free trial.