An IT security firm has recovered 9,050,064,764 login credentials in possession by cybercriminals from over 640 data breaches involving emails and usernames secured using plaintext passwords. Password reuse, improper hashing, misconfigured servers, and the use of common weak passwords and common phrases were the main reasons which led to the compromise of users’ accounts.
Password reuse across multiple accounts
The data recovered by SpyCloud affected 270 million users compromising over 9 billion login credentials. Close to a third (29%) of the compromised credentials involved password reuse in more than one account. Most of the passwords reused (94%) were exact matches while the remaining 6% were slight variations of the original password. Four percent (4%) of the password reuse variation involved adding one or two numbers at the end of the password, for example, “password1” or “password12.” Two percent (2%) of the variation involved capitalizing the first letter of the word for example “Password.” Password reuse exposes users to the possibility of account takeover (ATO) by cybercriminals across various systems. Compromising the accounts of privileged users allows them to acquire login credentials for many users thus allowing them to conduct credential stuffing attacks against a single computer system.
Improper and outdated password hashing
Hashing passwords instead of storing them as plaintext has been the most secure method of preventing stealing by cybercriminals. Despite this practice, most forms of hashing have become easier to crack leaving users login credentials at risk. Spycloud observed that only 44% of the passwords are hashed and salted. This leaves most of the passwords either unhashed and/or unsalted making it easier for criminals to crack. In addition, most of the stolen login credentials used ineffective hashing methods such as MD5 and SHA1. Over a quarter (36%) applied SHA1 while 17% applied MD5 hashing mechanism. Three percent (3%) of the hashed passwords used BASE64 which is extremely insecure. Using weak and outdated hashing mechanisms allows cybercriminals to easily convert the passwords into plaintext passwords without much effort.
Misconfigured and unsecured servers
While password reuse poses a huge threat, cyber criminals are diversifying their methods of attack by targeting misconfigured or unsecured servers. Criminals exploit poorly configured servers by connecting as privileged users, and misconfigured databases allow cybercriminals to connect as database developers and execute commands as well as dump data from such databases. In addition, the adoption of cloud storage by organizations without experienced IT professionals capable of properly configuring such services puts data at risk.
Weak passwords and common phrases
Many of the leaked login credentials follow a predictable pattern. In addition, many of the leaks involved the same systems affecting many users at a time. For example, “dubsmash” and “evite” were among the most leaked passwords and affecting over 100 million accounts each. This indicates that the affected apps lack proper password security policy thus allowing users to secure their accounts using default passwords. One possible reason is that these apps use the brand name as the default passwords and most users are too lazy to change them. The apps also fail to remind their users to change the default password after creating their accounts. In addition, users suffer from forgetting passwords and prefer to use the brand name as the password for the app to avoid forgetting.
Other patterns predict factors such as religion, cultural names, or common phrases. For example, “mohammad” was a common password in Islamic countries and “jesuschrist” in predominantly Christian countries such as Angola. Universal phrases such as “iloveyou” was very common across the world. However, the most common combinations that occupied the top three positions were “123456”, “123456789” and “qwerty” in use by over 125 million accounts.
Security best practices to secure users’ login credentials
Because many data breaches involve the use of compromised passwords, would the elimination of user passwords make systems secure? David Endler, chief product officer and co-founder of SpyCloud disagrees.
“The way forward isn’t necessarily getting rid of passwords; it’s making sure people understand how valuable their data is to criminals and why a little friction in the security experience is worth the protection it provides,” Endler says.
He further proposes various password protection activities that would ensure most users do not put their accounts at risk by using weak passwords.
“We’ve learned a lot in the past couple years about better authentication experiences and it’s time to put those lessons into action worldwide. Killing the 90-day password rotation will curb password management fatigue. Checking passwords against breach data and forcing resets when exposures are found could help people understand the risk their poor passwords pose and enforcing stronger new passwords that follow NIST recommendations will help users make better choices,” says the SpyCloud co-founder.
The SpyCloud’s chief product officer further recommends non-password security measures such as multi-factor authentication and the use of password managers to increase the security of user accounts.
“Companies need to not just offer multi-factor authentication but encourage users to opt-in. The security community has for a long time recommended password managers, but we need to be more vocal about them, and even offer them as an employee benefit to encourage strong password hygiene.”