The Vulnerability of Passwords: a Glimpse into 35 Billion Credentials
By Anna Fridley
How can organizations protect themselves and their customers from dictionary, replay, and password spraying attacks given that use of stolen credentials is the second most prevalent “threat action” leveraged in breaches according to VDBIR? Since the FBI’s Internet Cyber Crime Center (IC3) 2019 report averaging breach loss value to $32,000, unauthorized access leading to breaches can represent a real business threat to organizations—no matter the size or industry.
Taking these two reports and the trends within them to heart, I took a deep dive into Flashpoint’s collection of over 35 billion compromised credentials. These credentials have been compiled from years of analyst research, automated collections, and credential stealing malware. I wanted to look at the compromised credentials from the perspective of sensible controls enterprises could put into place to interrupt threat actor use of compromised passwords. I did some data slicing in Flashpoint’s top 10,000 bad passwords (representing approximately 5% of our collection) and made a few unsurprising observations:
- People are predictable in their password choices: in the top 450 most repeated passwords, keyboard patterns, number strings, and first names, are the most common types of passwords.
- After the above patterns, single dictionary words, patterns including sports references, site names, and variations on the word password were the next most common.
- Over 96% of the top 10,000 most reused passwords were fewer than 12 characters in length.
Since we are not yet in a post-password authentication space, what can large enterprises and small to medium organizations do to implement compensating controls to cut down on threat actor’s capacity to exploit these common human patterns?
The recommendations wind up unsurprising as well, as NIST-800-63B keeps hammering them home:
- Know your assets, employees, and accounts.
- Secure your crown jewels, power users, and privileged accounts with longer, more complicated passphrases in proportion to the importance of the access they convey.
Lastly, going above and beyond guarding against the most-commonly-used bad passwords, enterprises can leverage services like Flashpoint’s Compromised Credentials Monitoring (CCM) to get more proactive about securing credentials. CCM helps enterprises leverage the same data sets that threat actors are using to attack their networks in order to ultimately reduce account takeover (ATO) and more damaging advantageous attacks that play to the predictable nature of people and their passwords.