Passwords, long a weakness in the tapestry of defenses designed to keep enterprises and individuals more secure, continue to be a problem due in large part to the same issue that has haunted them for years: the users themselves.
In a report released today, SpyCloud researchers found that despite the growing sophistication of bad actors and the headlines surround cyberattacks, many users continue to use poor hygiene when it comes to passwords, including using the same or similar passwords for multiple accounts or weak or common passwords.
In addition, more than two-thirds of passwords that have been breached in previous years are still in use, according to the 2022 SpyCloud Identity Exposure Report. The company found that 64 percent of consumers repeat passwords for more than one account and 70 percent of passwords that have been compromised are still in use.
The data in SpyCloud’s report dovetails with what other cybersecurity vendors are seeing. Lookout recently published a list of the passwords that are most commonly found on the dark web, with the top four being 123456, 123456789, Qwerty and Password.
Passwords have long been an issue in security, particularly as more work and business is being done online. Consumers now can have more than 100 accounts in work and personal lives that need passwords. The rapid shift to remote work brought on by the COVID-19 pandemic has only accelerated that trend. Most people will not only continue to work from home at least part of the time even as the pandemic lifts but have also gotten used to doing more of their personal business online.
Such reports as those from SpyCloud and Lookout only add to fuel to the argument being made by some vendors – with Microsoft among the leaders – that passwords should be dropped in favor of a number of other alternatives, such as biometric technology (such as fingerprint or eye scans), security keys, authentication apps or verification codes that are sent to a mobile device or email.
“At a basic level, everyone understands the logic at least behind picking a complicated, hard-to-guess password when you register for an account,” David Endler, co-founder and chief product officer of SpyCloud, told The Register. “However, in practice, especially looking at some of the data in our report, it’s clear that bad password habits are still very much prevalent. Part of it is laziness. Another part of it is a sense of the average consumer of, ‘Why would someone go to the trouble to target little or me? What’s interesting about me?'”
There will always be specific attacks targeted at individuals or companies, but weak passwords also contribute to practices by threat actors like credential stuffing, where cybercriminal use usernames and passwords stolen from one website to try to log into other, often using botnets to fuel the efforts, Endler said. The attackers can then steal credit card data, make fraudulent purchase and use the information in phishing attempts. They can also sell the information.
In all, researchers from SpyCloud – whose products help prevent account takeovers by bad actors – identified 1.7 billion exposed credentials in 2021, a 15 percent year-over-year increase, and 13.8 billion recaptured personally identifiable information (PII) record stolen during breaches last year.
The issue of passwords is a sticky one. Authenticator apps, security keys or text messages sent to a cell phone are techniques that have been around for years. However, what they’re running up against are habits consumers have built up over decades.
“What we’re dealing with as a society is there is this built-up muscle memory around creating an account and logging into sites in the enterprise,” he said.
Two-factor authentication also has been available on sites for years, but adoption is slow because not all people want to take that second step. However, Endler pushed back at the idea that the campaign for passwordless authentication has stalled.
“These things take time because for decades, this is how we’ve known to create our accounts, to register our accounts and to log into our accounts and to see change like this does take time,” Ender said. “It also does add friction into the online account creation space. I don’t know that all sites are enthusiastically embracing this technology because they have to weigh that and counter that with user friction.”
There are steps a person can take, including enabling two-factor authentication – which also can be used with biometric technologies – to sites they use and using a password manager to not only store all of their passwords but also to generate unique passwords to those sites. To protect against fraud and protect PII, people should review their credit history and lock down their records at the major credit agencies.
Anything people do will help protect enterprises, particularly at a time when remote work continues to blur the line between work and home life.
“One way to think of it is the enterprise attack surface hasn’t changed,” he said. “It’s just the way we think about it has changed a little bit since we’ve all been working from home the last two years. At home, we have many more devices right in front of us than we may use to access corporate resources. Those devices don’t necessarily have the same benefits of corporate endpoint protection, so we’ve seen actually more and more malware infections for people working from home.”
While using an infected device, they may log into the corporate system, illustrating the overlay between threats to consumers and the enterprise attack surface, particularly when factoring in the various applications people are using that are outside of the organization’s protective shield, Endler said, adding that “if someone is using a personal account on one of those systems and is maybe not picking the best password, then it does have a have a ripple effect onto the corporate attack surface.”
Eventually the charge into a passwordless future will likely be led by device manufacturers and browser developers, he said. Sites likely will continue to integrate technologies from either devices or browsers, which should help reduce the threats.
“But keep in mind a lot of the accounts that come out in these data breaches were created years ago,” Endler said. “We’re still years away from that dream because we would have to catch up to the point where people are only registering new accounts using services like Apple’s Hide My Email.”