Same password everywhere? Mhhhh

Same password everywhere? Mhhhh

IBM Security releases on an annual basis a report concerning the “Cost of Data Breach.” This report offers an accurate analysis of data breaches that affected more than 500 organizations worldwide, and it also examines this phenomenon financial impact had of on companies. According to it, in the Italian context each violation has an average cost of 2.9 million euros and, as for other countries, this value is expected to increase over time. The report also draws attention to the fact that compromised credentials and incorrect cloud server configurations are the most common vulnerabilities, as they represent nearly the 40% of cyberattacks. Furthermore, the IBM study reveals that, back in 2019, more than 8.5 billion records were unsafely exposed to the internet, and that 1 out of 5 cases the attackers exploited such credentials to perform their intrusion.  These results prove that despite the significant investments in security infrastructures, too often companies underestimate the human component that represents the weakest link in the security chain.

Companies rightfully invest in the best technology available to secure their assets; however, negligence and a low level of security awareness among employees often lead to many cyber incidents. Incidents of this kind originate from easy to force and or reused passwords, namely the reuse of the same access key for many online sites and services. Indeed, it is very hard to remember a large number of different credentials. The password reuse phenomenon, a “practice” we all follow, represents a risk not only for the individual, but also for the company the people work in. In fact, every site where we register in can be compromised and thus there is a risk that credentials can be stolen.

This is due to the fact that email addresses often correspond to the usernames used to login websites. It is then easier for an attacker to try to compromise multiple services by exploiting the same credentials. It is worth mentioning that attackers don’t make attempts at stealing passwords by hand, they use advanced scripts and bots that perform the task in their place. This results that in a few hours, they’re able to jeopardize multiple services including mail platforms, cloud services and corporate VPNs.

When conducting an attack on a targeted company, it is common to start from breach archives data, as it is possible to identify (for example through LinkedIn) those who might be the most vulnerable employees and search for information (primarily credentials) in the data breach.

The possibility of obtaining unauthorized access is drastically increased because of the information acquired through data breaches. For example, someone might take advantage of email addresses conventions (e.g. and of the human limits as it is common to use the same “root” password for all accounts and modify it by adding sequential numbers. An act of distraction and negligence when setting a password, even for a mail account, may lead to a catastrophic loss of sensitive data regarding the company, partners and customers.

Another issue organization frequently face involves employees using weak and common passwords that might have already been cracked in the past. This is due because of the fact the majority of people opts out for easy-to-remember combinations, like simple numerical strings or proper names, as the periodic online rankings for the least secure and most commonly used passwords demonstrates.

Today, there are multiple free tools that allow companies to verify whether their corporate and or personal accounts have been hacked. One of the most popular “Have I Been Pwned?” Security expert Troy Hunt founded it in 2013, and at the moment it reports there are 473 pwoned sites and the compromised accounts exceed 10 billion…so the chances of yours is in are very high!

In order to find it out if this is indeed the case, you just have to enter your email address in the search bar on the homepage. The results will display whether your account has been compromised, and it also specifies when and how it happened. The website is based on an engine that performs an analysis on the provided credentials and compares them to the information within its data breaches database. Furthermore, a notification function is available for subscribers that sends automatic emails from the HIBP system in case your registered credentials appear compromised. In the “Who’s been pwned” section you can also check an archive” of the entity and size of all data breaches recorded up to that moment.

Another valid option is “Password Exposure Test,” which is supplied by our partner KnowBe4 and available on the website. The software verifies the security level of all credentials within the company Active Directory, and it then returns a detailed report on the potential vulnerabilities the engine found. The analysis is carried out including two main processes:

  • Weak Password: the test matches the passwords in your AD with those in KnowBe4’s dictionary of very common and easy to crack passwords;
  • Breached Password: the process tests passwords associated to an email address of your domain that has been victim of a data breach. The test examines a database of breached data that contains over a billion breached passwords and looks for possible matches within your accounts and domains.

Best practices

  • Use different passwords for each service and online accounts, winning over laziness by adopting efficient tools to store passwords.
  • Pay extreme attention to the password quality and security.
  • Monitor the quality and the index of compromise of company credentials (e.g. through the above-mentioned tools).
  • Adopt multifactor authentication solutions (available by cloud providers such as Google, Microsoft etc.).