Enzoic Navigation
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Tech Docs
    • API – Dev Doc
    • Active Directory – Tech Docs
    • Security Overview
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
  • Resources
    • Get Support
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Resource Hub
  • Company
    • About
    • Enzoic Blog
    • Threat Intel
    • Contact Us
    • In the News
    • Careers
  • Sign In
  • Get Started
  • Solutions
    • Enzoic Account Takeover Protection
    • Enzoic for Active Directory
    • Enzoic for Active Directory Lite
    • Enzoic Exposure Alerts
    • NIST Password Standards
    • Hospitals & Healthcare Password Policy
  • Tech Docs
    • API – Dev Doc
    • Active Directory – Tech Docs
    • Security Overview
  • FAQ
    • FAQ Overview
    • Active Directory FAQ
  • Resources
    • Get Support
    • What Is Credential Stuffing
    • What Is Account Takeover
    • What is a Cracking Dictionary
    • Intuitive ATO Protection
    • About Strong Passwords
    • Resource Hub
  • Company
    • About
    • Enzoic Blog
    • Threat Intel
    • Contact Us
    • In the News
    • Careers
  • Sign In
  • Get Started
The Threat of Compromised Passwords

The Threat of Compromised Passwords

Over time passwords have become a ubiquitous part of our digital activities. They’re something we expect to create and manage for all of our accounts, and yet with all of our online accounts, having unique passwords can be difficult. Despite this, they remain the most common way of locking unauthorized persons out of our systems and away from our sensitive data. The data held in our digital accounts is of great value to threat actors everywhere. This is why attackers are perfecting their techniques and using sophisticated tactics to conduct account takeover attacks using compromised passwords.

Compromised passwords pose a significant threat to the security of organizations and individuals and as time ticks on, the list of exposed passwords continues to grow at an alarming rate. In fact, according to the Verizon Data Breach report, 81% of hacking-related breaches leveraged either stolen and/or weak passwords.


The Impact of Compromised Passwords

We’re currently experiencing a data breach epidemic. According to the 2019 MidYear QuickView Data Breach Report, 4.1 million records were compromised in the first six months of 2019. According to Help Net Security, in 2019, a total of 7,098 reported breaches exposed 15.1 billion records.

Compromised passwords are a crucial part of the data breach epidemic. One study found that 90% of respondents have experienced the effects of a data breach resulting from a compromised password. Compromised passwords impact both individuals and organizations, so in this section, we’ll be focusing on both to get a full picture of the true impact.

Reputation and Financial Loss

Threat Actors can potentially gain access to and the organization’s IT systems and steal sensitive data by utilizing compromised passwords. Even if they don’t use a compromised password to gain access to the system, they can often come away with many thousands or millions of these passwords after a successful data breach. This can have a significant impact on a company’s reputation and result in major financial loss, both in terms of fixing the damage and in the loss of future revenue.

The financial impact of a data breach due to compromised passwords can devastate companies of all sizes but can be particularly severe for small and medium-sized businesses (SMEs). SMEs are often less likely to have robust cybersecurity policies that protect against the use of already compromised passwords and they are also less likely to believe their company will be on the radar for Threat Actors. According to the IBM Cost of a Data Breach Report, the average total cost of a data breach globally is USD 3.92 million. However, the US is the most expensive country to have a data breach, where the average cost rises to USD 8.19 million.

Loss of Data

According to the same IBM report, 25,575 records on average are lost in a data breach. Once this data is out there it’s incredibly difficult (if not impossible) to regain control of it.

Recent Examples of Prominent Data Breaches Involving Exposed Passwords

  • In February 2018 Under Armour’s popular fitness app MyFitnessPal was breached, resulting in 150 million usernames, email addresses, and passwords being exposed.
  • In October 2016 the FriendFinder Network, a network dedicated to adult content and communication services was targeted by Threat Actors. In the attack, more than 412.2 million accounts were exposed and names, email addresses, and passwords were put in the hands of Threat Actors. The exposed passwords were protected using the notoriously weak SHA-1 hashing algorithm which meant that the vast majority of passwords were cracked in very little time.
  • In 2016, Uber was hit with a data breach that exposed over 57 million user and driver records. Threat Actors were able to gain access to these records by gaining access to Uber’s GitHub account, where they then found the username and password for Uber’s AWS account. So, in this case, according to CSO Online, a compromised password directly led to millions of user records being exposed.

The Growing Threat and Looking to The Future

While passwords remain a popular way of securing data, they are far from perfect.

“The password is by far the weakest link in cybersecurity today.” Michael Chertoff, former head of Homeland Security

This has led some security professionals to suggest other ways of securing our data, some of which are gaining traction. Fingerprint, Iris, or other biometric readers are becoming more common, as are persona-based authentication methods (relying on your online behavior and geographical location), and authentication keys. However, none of these options have managed to replace the traditional password and each comes with their own pros and cons.

Organizations cannot move away from the password anytime soon because of all the new authentication methods, the password is still the back-up factor and there is not a ubiquitously trusted alternative yet. This means we’re forced to come up with new and creative ways to defend our data while using passwords. Exposed password screening and compromised credential screening is starting to become more widely used due to its ability to alert users when their password has been exposed and is therefore no longer safe to use.

acccount takeover protectionCompromised Password Screeningexposed passwords

Search

Browse blog categories

  • Account Takeover (19)
  • Active Directory (31)
  • all posts (78)
  • Continuous Password Protection (14)
  • COVID-19 (3)
  • Cracking Dictionaries (2)
  • Credential Screening (15)
  • Cybersecurity (28)
  • Data Breaches (9)
  • EdTech (1)
  • Enzoic Customer (2)
  • Enzoic News (7)
  • Enzoic Recognition and Awards (5)
  • Financial Services Cybersecurity (2)
  • Gaming Cybersecurity (1)
  • GDPR (1)
  • Healthcare Compliance (6)
  • Insider Threats (6)
  • Law Firm Cybersecurity (2)
  • Loyalty and Reward Programs Security (1)
  • NIST 800-63 (19)
  • Password Hygiene (4)
  • Password Tips (30)
  • Regulation and Compliance (3)
  • SMB Cybersecurity (2)

Stay up to date

Research, news, and more right to your inbox

More

  • Learning about strong, but unsafe passwords
  • What is a credential stuffing attack?
  • What is account takeover (ATO) fraud?
  • Eliminating password reuse to prevent ATO fraud
  • Password Strength Meter (Free)
  • Developer Documentation (APIs)

Recent blog posts

  • Pride and Passwords: Top Hacking Methods & How to Prevent Them
  • Cybersecurity and What’s Not Working from Home
  • From Paper to Passwords: Digitizing the Voting Process
  • From NIST Guidelines to Real-World Solutions?
  • [ Free Trial ]
  • Contact Us
  • 1-720-773-4515

Enzoic ©2020 | Privacy Policy | Acceptable Use

Enzoic’s password auditor provides a great baseline for assessing password vulnerability. Get next level of compromised credentials protection and try the full Enzoic for Active Directory at no cost.

Cookies

This website uses cookies to improve your experience. Continue to use the site as normal if you agree to the use of cookies. To find out more about our use of cookies or to opt-out, please see our Privacy Policy.

More Information
This site is for EDUCATIONAL PURPOSES ONLY.
Your password will be sent securely to the Enzoic servers to check if it is compromised. We do not store your password or use it for any other purpose. If you are not comfortable with this, do not enter your real password.
What is this?

Password Check is a free tool that lets you determine not just the strength of a password (how complex it is), but also whether it is known to be compromised. Billions of user passwords have been exposed by hackers on the web and dark web over the years and as a result they are no longer safe to use. So even if your password is very long and complex, and thus very strong, it may still be a bad choice if it appears on this list of compromised passwords. This is what the Password Check tool was designed to tell you and why it is superior to traditional password strength estimators you may find elsewhere on the web.

Why is it needed?

If you are using one of these compromised passwords, it puts you at additional risk, especially if you are using the same password on every site you visit. Cybercriminals rely on the fact that most people reuse the same login credentials on multiple sites.

Why is this secure?

This page, and indeed our entire business, exists to help make passwords more secure, not less. While no Internet-connected system can be guaranteed to be impregnable, we keep the risks to an absolute minimum and firmly believe that the risk of unknowingly using compromised passwords is far greater. Since our database of compromised passwords is far larger than what could be downloaded to the browser, the compromised password check we perform must occur server-side. Thus, it is necessary for us to submit a hashed version of your password to our server. To protect this data from eavesdropping, it is submitted over an SSL connection. The data we pass to our server consists of three unsalted hashes of your password, using the MD5, SHA1, and SHA256 algorithms. While unsalted hashes, especially ones using MD5 and SHA1, are NOT a secure way to store passwords, in this case that isn’t their purpose – SSL is securing the transmitted content, not the hashes. Many of the passwords we find on the web are not plaintext; they are unsalted hashes of the passwords. Since we’re not in the business of cracking password hashes, we need these hashes submitted for more comprehensive lookups. We do not store any of the submitted data. It is not persisted in log files and is kept in memory only long enough to perform the lookup, after which the memory is zeroed out. Our server-side infrastructure is hardened against infiltration using industry standard tools and techniques and is routinely tested and reviewed for soundness.

More…
  • Visit our FAQ to learn more
  • Contact us for press or sales inquiries
  • Add a free password strength meter to your website