searchtwitterarrow rightmail strokearrow leftmail solidfacebooklinkedinplusangle upmagazine plus
Help Net Security - Daily information security news with a focus on enterprise security.
Help Net Security - Daily information security news with a focus on enterprise security.
  • News
  • Features
  • Expert analysis
  • Videos
  • Reviews
  • Events
  • Whitepapers
  • Industry news
  • Product showcase
  • Newsletters
Help Net Security
Help Net Security
February 19, 2019
Share

Indicators of poor password hygiene exposed

The recovered compromised credentials and personally identifiable information (PII) as well as the identified trends in online security habits and the data criminals tend to steal and use, have been released in the 2018 Credential Exposure Report by SpyCloud.

indicators of poor password hygiene

SpyCloud’s research team recovered 3,457,017,136 exposed sets of online account credentials and PII from 2,882 different sources, many of which were high-profile data breaches that led to credentials going up for sale on dark web forums and marketplaces. Over 2.6 billion of those credential sets included a password.

Based on SpyCloud’s analysis of the leaked data, at least 24 percent of users recycled a password, with an overwhelming 90 percent of that segment reusing an exact match as far as spelling, capitalization, special symbols and arrangement. Another 7 percent of those users just added one or two numbers onto the end of their preferred, recycled password. Inadequate password hygiene makes it significantly easier for criminals to engage in credential stuffing and resulting ATO.

“Account takeover facilitated by weak or stolen passwords is still one of the leading causes of fraud today,” said Eric Murphy, vice president of security research at SpyCloud. “Criminals understand how incredibly easy and effective it is to compromise online accounts at scale using software tools freely available for download.”

SpyCloud was able to use its industry-leading proprietary password cracking technology to decrypt 87 percent of recovered encrypted password hashes. Of those passwords not already visible in plain text, 25 percent used md5, 22 percent used bcrypt, 17 percent used sha1, 10 percent used snefru-256 and 6 percent used sha512.

indicators of poor password hygiene

Among plaintext passwords, the most popular was “123456” (favored by more than 39 million users), while “password” appeared as the ill-advised passcode of choice more than 7 million times. Popular sports and teams, country names and large cities commonly made the list of most used passwords on a geographic basis. Interestingly, “anhyeuem” – Vietnamese for “I love you” – cracked the top 15 most common plaintext passwords.

“One of the easiest ways to mitigate account takeovers is to curtail password reuse across multiple accounts and make passwords difficult to steal or bypass,” said Ted Ross, CEO of SpyCloud. “Until we instill security-aware culture within organizations and ensure that individuals are consistently practicing good password hygiene spanning both work and personal accounts, ATO and its harsh consequences will persist.”

More about
  • account protection
  • authentication
  • cybercriminals
  • cybersecurity
  • data protection
  • data security
  • passwords
  • SpyCloud
  • strategy
  • survey
Share this

Featured news

  • Fake ChatGPT for Google extension hijacks Facebook accounts
  • A common user mistake can lead to compromised Okta login credentials
  • A closer look at TSA’s new cybersecurity requirements for aviation
How to protect online privacy in the age of pixel trackers

Sponsored

Webinar: Tips from MSSPs to MSSPs – starting a vCISO practice

Security in the cloud with more automation

CISOs struggle with stress and limited resources

How to scale cybersecurity for your business

Don't miss

Fake ChatGPT for Google extension hijacks Facebook accounts

A common user mistake can lead to compromised Okta login credentials

A closer look at TSA’s new cybersecurity requirements for aviation

Best practices to secure digital identities

These 15 European startups are set to take the cybersecurity world by storm

Cybersecurity news
Help Net Security - Daily information security news with a focus on enterprise security.
© Copyright 1998-2023 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us