The struggle to get users to make good, strong, unique passwords and actually keep them secret is real!
It can be hard to demonstrate to users just how dangerous their bad password decisions can be to the entire business, even though an estimated 60% of data breaches involved the improper use of credentials in 2020.
There’s no rhyme or reason to why employees create and handle passwords unsafely. Employees at every level are unfortunately drawn to making bad passwords and playing fast and loose with them – and that predilection doesn’t look like it’s going away anytime soon.
The average adult has an estimated 100 passwords floating around that they’re using. That’s a bewildering tangle of passwords to manage. About 300 billion passwords are currently in use by humans and machines worldwide. The global pandemic helped put even more passwords into circulation as people on stay-at-home orders created an abundance of new online accounts. According to the conclusions of a global study conducted by Morning Consult for IBM, people worldwide created an average of 15 new online accounts per person during the main thrust of the pandemic.
Many of those logins were compromised from the start thanks to abundant dark web data. An estimated 15 billion unique logins are circulating on the dark web right now. In 2020 alone, businesses had to contend with a 429% increase in the number of business login details with plaintext passwords exposed on the dark web. That dramatic increase in risk per user comes back to haunt a business.
The average business is now likely to have about 17 sets of login details available on the dark web for cybercriminals to enjoy and that number is only going to continue to grow thanks to events like this year’s giant influx of fresh passwords from the RockYou 2021 leak!
Research by the UK’s National Cyber Security Centre (NCSC) shows that employees will choose memorability over security when making a password. Their analysts found that 15% of people have used their pet’s name as their password at some point, 14% have used the name of a family member, 13% have used a significant date, such as a birthday or anniversary and another 6% have used information about their favourite sports team as their password.
That makes cybercriminals’ jobs easy even if they’re trying to directly crack a single password. After all, those users have probably told them everything that they’d need to know to do the job in their social media profiles.
Worse yet, employees are sharing their passwords with other people at an alarming rate, even if the people they’re sharing a password with don’t work at the same company. Over 30% of respondents in a Microsoft study admitted that their business had experienced a cybersecurity incident as a result of compromised user credentials that had been shared with people externally.
43% of survey respondents have shared their password with someone in their home
22% of employees surveyed have shared their email password for a streaming site
17% of employees surveyed have shared their email password for a social media platform
17% of employees surveyed have shared their email password for an online shopping account
Analysis of the top 250 passwords found on the dark web, found the top categories for the weakest passwords in 2020 were:
Weakest Password Categories in 2020
Top 20 Most Common Passwords found on The Dark Web in 2020
Credentials were the top type of information stolen in data breaches worldwide in 2020, (personal information took second place just over financial data in third), and Cybercriminals didn’t hesitate to grab batches of credentials from all over the world. Cybercriminals snatched them up in about 70% of EMEA breaches, 90% of APAC region breaches and 60% of North American breaches. Researchers disclosed that the average company experiences 5.3 credential compromises that originate from a common source like phishing every year, a number that should give every business owner chills.
An abundance of records on the dark web has spawned an abundance of passwords for cybercriminals to harvest, and that’s bad news. Giant password dumps on the dark web like the 100GB text file dubbed RockYou2021 have ratcheted up risk too. That giant dump of of data is estimated to contain 8.4 billion passwords. Cybercriminals make use of that bounty quickly and effectively.
In the aftermath of an enormous 2020 hack, ShinyHunters breached the security of ten companies in the Asian region and brought more than 73 million user records to market on the dark web. A group like ShinyHunters will of course try to profit by selling that stolen data at first, but when the data has aged or there are no interested buyers, cybercriminals will just offload it in the vast data dumps of the dark web making it available for anyone to sift through.
Password shenanigans can put any business at risk of a devastating and expensive cyberattack, but protecting your business from password-related danger isn’t hard to do or expensive.
Protecting your business from password dangers requires a multi-layered approach, incorporating both training and technology.
Training will educate your employees into the dangers of Cybercrime and what they can do to recognise the threat and how to avoid the dangers.
Technology and policy ensures a correct framework is in place to remove the complications around employee passwords, ensuring a robust and centralised credential management system is in place to protect your business.
MSnet was founded with a passion to assist businesses from the threat of Cybercrime.
Our Mission is to empower businesses with the knowledge, Training and Services required in safeguarding them from Cybercriminal activity.
If you would like more information please reach out our team on 01489 539700 or use the Contact US button below