Weak and re-used passwords still common, says vendor report

Many employees of Fortune 1,000 companies are still using and re-using weak and insecure passwords if an analysis of stolen data by a security vendor is accurate.

In a report issued this week, account takeover prevention provider SpyCloud said an analysis of data sold by criminals suggests that, on average, 76 per cent of business employees may be reusing passwords on multiple sites.

Perhaps to no infosec pro’s surprise, some weak passwords in the dataset studied were the most common: The most popular password was 123456, which appeared 14,252 times. Passwords that appear to be names (maggie, bailey, michael) accounted for 32 of the top 100 passwords, appearing over 24 thousand times. Strings of digits (123456789) and easy-to-type combinations of letters and numbers (abc123, qwerty) accounted for another 19 of the top passwords.

The report also suggests security isn’t very good at a lot of companies: Of the more than 412 million breach assets looked at (an asset is a name or email address for example), 4 million were plaintext passwords.


Longer passwords are better, so is salt

In an interview, Julia Kisielius, senior product manager at SpyCloud ducked when asked if IT is doing something wrong. “Password security is a shared responsibility,” she said. “Users are in some way responsible for creating strong passwords, while security professionals need to acknowledge human nature and check passwords to ensure they aren’t weak.”

The analysis has some caveats: The data is part of the 100 billion breach assets that have been “recovered” over the years by SpyCloud in various ways from criminals on the dark web. In Kiseilus’s words, the company tries to “social engineer them out of their data.”

From that total researchers winnowed it down to about 76.1 million breach records tied to a single user from 32,000 data breaches that could be linked to Fortune 1000 companies through email addresses (for example, [email protected]). So Gmail addresses, for example, weren’t counted for this analysis.

Within that 76.1 million records were 23.1 million email addresses and plaintext password pairs.

The email addresses weren’t necessarily real persons’ names. John Smith, for example, could be an alias. The entire dataset has been compiled by SpyCloud over years, so it captures some employees who have moved on to other companies. That also means some people could have changed their passwords by now to ones that are safer.

Still, criminals keep using that information, and people keep using those passwords, or variations of them, Kisielius said. It’s also common that many people make only small changes to passwords, either because they think that makes it a new password or to pass company [password] complexity requirements. Criminals know that and count on it, she said.

Despite the caveats, SpyCloud hopes the analysis “provides a window into the scale of the account takeover risks facing large enterprises and the importance of monitoring employee credentials for weak and reused passwords.”

You can get the report here (registration required).

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now