Please fill in the form below to subscribe to our blog

Categories

Tags

BullPhish ID Dark Web ID Email security Graphus incident response phishing ransomware Rocketcyber Week In Breach

Password Sharing is a Data Breach Danger

August 11, 2020
password sharing is a data breach danger

Don’t overlook how the dangerous practice of password sharing is a data breach danger.

Passwords are the bane of IT teams, and password sharing is one of the biggest reasons for that. Password sharing among your staffers could open your company up to expensive and harmful cyberattacks. Credential compromise is also the most common initial cyberattack vector according to year’s IBM Cost of a Data Breach Report, the culprit in 20% of breaches. What’s a surefire way to compromise a credential? Sharing it with anyone else.

Start the new year off on the right foot with this checklist of smart cybersecurity practices. GET IT>>

Six Scary Statistics

Here are a few quick facts to keep in mind about staff password sharing:

Research by the UK’s National Cyber Security Centre (NCSC) shows that employees will choose memorability over security when making a password every time. Their analysts found that 15% of people have used their pet’s name as their password at some point, 14% have used the name of a family member,13% have used a significant date, such as a birthday or anniversary and another 6% have used information about their favorite sports team as their password. That makes cybercriminals’ jobs easy even if they’re trying to directly crack a single password. After all, those users have probably told them everything that they’d need to know to do the job in their social media profiles. 

US companies aren’t any better off. In fact, their bad password problems are just a little bit worse. 59% of Americans use a person’s name or family birthday in their passwords, 33% include a pet’s name and 22% use their own name. We can’t chalk that blizzard of bad passwords up to ignorance of good password habits, because even employees who know better are slacking on password safety. Over 90% of participants in a password habits survey understood the risk of poor password hygiene, but 59% admitted to still engaging in unsafe password behaviors at work anyway.

The Guide to Reducing Insider Risk can help IT pros stop security incidents before they start! GET IT>>

Employees are sharing their passwords with other people at an alarming rate, including people that don’t work at the same company through password reuse and recycling. Over 30% of respondents in a Microsoft study admitted that their organization had experienced a cybersecurity incident as a result of compromised user credentials that had been shared with people outside their companies. 

  • 43% of survey respondents have shared their password with someone in their home  
  • 22% of employees surveyed have shared their email password for a streaming site  
  • 17% of employees surveyed have shared their email password for a social media platform  
  • 17% of employees surveyed have shared their email password for an online shopping account  

Based on our analysis of the top 250 passwords that we found through the application of Dark Web ID’s dark web search function that uncovers exposed credentials, these categories of information were used to generate the weakest passwords in 2020 were: Names, Sports, Food, Places, Animals and Famous People/Characters. Here’s a breakdown of people’s dreadful passwords.

The Most Common Passwords Spotted by Dark Web ID by Category

  • Names: maggie
  • Sports: baseball
  • Food: cookie
  • Places: Newyork
  • Animals: lemonfish
  • Famous People/Characters: Tigger

Top 20 Most Common Passwords That Dark Web ID Found on The Dark Web in 2020

  1. 123456
  2. password
  3. 12345678
  4. 12341234
  5. 1asdasdasdasd
  6. Qwerty123
  7. Password1
  8. 123456789
  9. Qwerty1
  10. :12345678secret
  11. Abc123
  12. 111111
  13. stratfor
  14. lemonfish
  15. sunshine
  16. 123123123
  17. 1234567890
  18. Password123
  19. 123123
  20. 1234567

Too many hands on a password makes it useless. 

While it seems safe enough, businesses will not save money by handing around the login for a user-limited account. The security risk is too great, especially as more and more people in an organization need to use that account, so the login keeps getting passed around. It is almost inevitable that it will become compromised, creating an opening for bad actors to slip through and into critical systems and data – and costing a fortune in investigation, mitigation, and recovery expenses (and in some industries, additional regulatory fines).

No industry is immune to the powerful lure of terrible password habits, especially that perennial favorite password recycling and iteration. In a study of password proclivities, researchers determined that some sectors did have a little more trouble with passwords than others though. The telecommunications sector had the highest average number of leaked employee credentials at 552,601 per company. The media industry had the highest password reuse rates at 85%, followed by household products (82%), hotels, restaurants & leisure (80%), and healthcare (79%).Security firms stacked with IT professionals don’t get off the hook any more easily than any other business – a staggering 97% of cybersecurity companies have had their passwords leaked on the dark web. 

Who else has that password? 

Can you be sure that the only people who have the shared password are people that you trust? Are you willing to take the risk that it hasn’t already been compromised on the Dark Web? Are you certain that it isn’t also the password for the Netflix account that your assistant shares with her sister? Are you confident that the person who made that password isn’t one of the 59% of business users that understand the risk of password reuse admitted to doing it anyway in a recent survey?  The answer to all of these questions is no.  

From SMBs to giant multinationals, it doesn’t matter how high-flying a company is: password problems will still plague them. A trove of exposed data about Fortune 1000 companies on the dark web was uncovered by researchers earlier this year, including passwords for 25.9 million Fortune 1000 corporate user accounts. Digging deeper, they also unearthed an estimated 543 million employee credentials from Fortune 1000 companies circulating on commonly used underground hacking forums, a 29% increase from 2020. Altogether, they were able to determine that 25,927,476 passwords that belong to employees at Fortune 1000 companies are hanging out on the dark web. That’s an estimated 25,927 exposed passwords per Fortune 1000 company, marking a 12% increase in password leaks from 2020. 

Password sharing is an expressway to a data breach. 

Password shenanigans can put any business at risk of a devastating and expensive cyberattack. But protecting your organization from password-related danger isn’t hard to do or expensive. The ID Agent Risk Protection Platform has the solutions businesses need to stay safe without breaking the bank.

Passly packs essential protection that protects your systems and data from intrusion by cybercriminals with a stolen or phished password including single sign-on (SSO), multifactor authentication (MFA), automated password resets and simple remote management at an affordable price.    

BullPhish ID delivers a smooth, painless training experience for trainers and trainees alike. Trainers can run premade simulations or customize their content to reflect their unique industry threats, including video lessons. Then deliver it all through a personalized portal that makes it easy for everyone.     

Dark Web ID can help your clients discover employees who may be tempted to sell their access credentials on the dark web to get all that cash. Monitoring 24/7/365 and fast alerts help companies stay a step ahead of malicious insiders.    

Contact the solutions experts at ID Agent today to learn more about how the ID Agent digital risk protection platform can enable you to secure your business and your customers against ransomware threats.  

Is someone’s behavior suspicious? Learn to spot trouble fast with 5 Red Flags That Point to a Malicious Insider at Work.  DOWNLOAD IT>>