Many employees of Fortune 1,000 companies are still using and re-using weak and insecure passwords if an analysis of stolen data by a security vendor is accurate.
In a report issued this week, account takeover prevention provider SpyCloud said an analysis of data sold by criminals suggests that, on average, 76 per cent of business employees may be reusing passwords on multiple sites.
Perhaps to no infosec pro’s surprise, some weak passwords in the dataset studied were the most common: The most popular password was 123456, which appeared 14,252 times. Passwords that appear to be names (maggie, bailey, michael) accounted for 32 of the top 100 passwords, appearing over 24 thousand times. Strings of digits (123456789) and easy-to-type combinations of letters and numbers (abc123, qwerty) accounted for another 19 of the top passwords.
The report also suggests security isn’t very good at a lot of companies: Of the more than 412 million breach assets looked at (an asset is a name or email address for example), 4 million were plaintext passwords.
In an interview, Julia Kisielius, senior product manager at SpyCloud ducked when asked if IT is doing something wrong. “Password security is a shared responsibility,” she said. “Users are in some way responsible for creating strong passwords, while security professionals need to acknowledge human nature and check passwords to ensure they aren’t weak.”
The analysis has some caveats: The data is part of the 100 billion breach assets that have been “recovered” over the years by SpyCloud in various ways from criminals on the dark web. In Kiseilus’s words, the company tries to “social engineer them out of their data.”
From that total researchers winnowed it down to about 76.1 million breach records tied to a single user from 32,000 data breaches that could be linked to Fortune 1000 companies through email addresses (for example, firstname.lastname@example.org). So Gmail addresses, for example, weren’t counted for this analysis.
Within that 76.1 million records were 23.1 million email addresses and plaintext password pairs.
The email addresses weren’t necessarily real persons’ names. John Smith, for example, could be an alias. The entire dataset has been compiled by SpyCloud over years, so it captures some employees who have moved on to other companies. That also means some people could have changed their passwords by now to ones that are safer.
Still, criminals keep using that information, and people keep using those passwords, or variations of them, Kisielius said. It’s also common that many people make only small changes to passwords, either because they think that makes it a new password or to pass company [password] complexity requirements. Criminals know that and count on it, she said.
Despite the caveats, SpyCloud hopes the analysis “provides a window into the scale of the account takeover risks facing large enterprises and the importance of monitoring employee credentials for weak and reused passwords.”