While there is a general awareness among most people about using secure passwords, an individual’s overall concern about data security consistently runs into the need to remember a growing number of unique passwords for an ever-larger number of accounts. Add the demands for complexity, differing password constraints for each service, and the need to frequently change them, and you’ve set up many employees at your organization for failure. They will default to the old habits of reusing one or two relatively simple passwords over multiple logins.
Generally, there is never a bad time to revisit the password policy at your organization, but the major headlines from last week about the epic data set compiled and released by hackers is enough pretext to revisit not only the topic, but more importantly your policy.
2.69 Billion Rows of E-Mail Addresses and Passwords
Security researcher Troy Hunt, founder of the breach notification service Have I Been Pwned published a notification about a list of e-mail and password combinations compiled from several previous data breaches. In total, 773 million e-mail addresses and 21 million passwords were published to the file sharing site MEGA. Most of the e-mail addresses had been associated with previous data breaches, such as Adobe, LinkedIn, or Dropbox; however, an alarming 140 million addresses were new to Hunt.
It can be easy for some to brush this off as an insignificant collection, since so many of the credentials in the list were already known; that said, Hunt, among others, point to the fact that in compiling all these previously and newly disclosed e-mail and password combinations has created a master dictionary for those attempting credential stuffing attacks.
The Dangers of Credential Stuffing Attacks
The concept of credential stuffing is fairly straightforward. A threat actor takes a list of known username and password combinations and leverages botnets or special software to automate the injection of those credentials into a host of websites and services. The hope is that the compromised individual used the same logins across multiple sites.
The problem for any organization stems from the simple fact that people’s password reuse isn’t typically confined to their personal lives. One successful attempt by a hacker can cause a ripple effect that can easily extend into the workplace, and of course, if a hacker can gain access to a network through an employee’s credentials the damage can be severe.