We here at Solutions Review frequently discuss the issues surrounding credential exposure and password security. We focus in on these issues concerning identity and access management because the vast majority of users, both employees and privileged users, interact with the digital perimeter and their identities through their credentials. Therefore, credential exposure remains a key security issue.
To highlight the severity of the credential exposure epidemic, we consulted the SpyCloud 2018 Annual Credential Exposure Report. SpyCloud serves as a breach prevention and account takeover prevention solution provider.
Here’s what we learned.
The SpyCloud 2018 Annual Credential Exposure Report
According to SpyCloud, of the 3.5 billion exposed credentials they recovered in 2018 password, exactly reused credentials account for 24%. 90% of the reused passwords were nearly identical. A study of 1 billion leaked user accounts found 20% reused the exact same password, and 27% used a near identical password.
SpyCloud also comments on the paradox of encryption concerning account exposure. Encrypting passwords can help enterprises secure their users’ passwords; however, the most common forms of encryption only provide a weak barrier against hackers. Hackers have learned how to crack hashes such as unsalted md5 and sha1.
Therefore, enterprises should take more steps to protect their users’ passwords and credentials. Deploying and enforcing multifactor authentication or at least two-factor authentication can mitigate credential exposure.
The SpyCloud Findings in Context
The SpyCloud report on account exposure doesn’t exist in a vacuum. In fact, their findings support a wide range of studies demonstrating the issues surrounding user passwords. These studies reveal:
- 81% of breaches stem from weak, stolen, or reused passwords, according to Verizon.
- Nearly 10% of users selected at least one of the 25 worst passwords for one of their accounts, according to SplashData.
- 59% of users repeat their stolen passwords, according to Rachael Stockton of LogMeIn.
You can read the full SpyCloud 2018 Annual Credential Exposure Report here.