Microsoft has just announced that a staggering 44 million accounts were vulnerable to account takeover due to the use of compromised or stolen passwords. This news comes on the back of the recent Disney+ launch, where password reuse resulted in cybercriminals taking over user accounts.
There is mounting evidence that despite repeated warnings, users are still flying blind, and companies are not taking enough action to prevent the use of exposed credentials, putting users’ data at risk.
People’s desire for convenience drives then to use the same login details for multiple accounts. To put this in context, research from Google found that 65% of people reuse the same password for all or most of their accounts with another study finding that 62% of employees use the same password for their personal and work accounts.
A cybercriminal can simply obtain a password from a breach on one site, and then because of this password reuse, use that password to access that user’s accounts on other websites and systems. A study from Virginia Tech University found that 70% of users deployed an exposed password for different accounts up to a year after a leak. Even worse, 40% of people are reusing passwords, which were leaked over three years ago.
As cybercriminals become increasingly sophisticated, organizations must take steps to protect themselves and their users rather than hoping people will suddenly stop reusing passwords!
NIST password recommendations outline how organizations should verify that passwords are not compromised before they are activated and monitor those passwords on an ongoing basis. By checking passwords against a database of exposed or stolen passwords, organizations can significantly reduce the prevalence of compromised and stolen passwords. As the number of data breaches and compromised credentials expands continuously, checking passwords against a dynamic database rather than a static list is critical.
If a compromise is detected, it’s vital to institute an immediate, automated action. Automation allows organizations to customize the action such as a password reset to secure the account before additional damages can occur, or a prompt to the user to create a new password the next time they log in.
As we enter the next decade, companies must take action to protect themselves and ensure stolen passwords for their users aren’t putting their accounts at risk. At Enzoic, we provide a range of automated solutions that stop compromised logins or passwords from being used to activate accounts for users, customers, and employees. And, equally important, our products continuously screen to ensure that existing credentials have not been compromised.
Enzoic’s Active Directory tool would detect many of the exposed or stolen passwords in the 44 million accounts. It runs quietly in the background and only impacts users that are using bad, compromised, or stolen passwords.
It’s time for organizations to make a new year’s resolution to banish compromised credentials once and for all!