Due Diligence: A Guide to Preventing Stolen Passwords

Most of us have been there…. You open your inbox to find that dreaded email alerting you that your credentials to one of the many websites you engage with have been compromised in a breach. Immediately, your mind starts to spiral: did I use that password for other sites? What is the hacker going to do with my information? Are my other accounts safe?

Unfortunately, it’s no longer a question of whether a breach will occur, but when. The Colonial Pipeline cyberattack, one of the most well-known cyber-events in recent history, was the result of a compromised password that the criminals likely obtained in a dark web leak. Not all stolen passwords result in the takedown of the largest fuel pipeline in the U.S., but there can still be severe repercussions if your password is compromised. 

Stolen passwords don’t just affect you as an individual; they can also compromise your entire organization by allowing cyber-attackers access to critical systems and data. In fact, credentials are the primary means by which a bad actor can hack into an organization, with 61% of breaches attributed to leveraged credentialsStolen passwords open businesses up to significant risks, from compromised data and lost accounts to organizational downtime and compliance complications. 

Stolen passwords are no joke, but don’t panic: there are several measures you can take ahead of time to mitigate the risks.

1. Change it Out

No matter your level of cybersecurity expertise, you are likely aware that compromised passwords are concerning. 92% of people know that using the same password or a variation is a risk, but 70% still use the same password or variations across accounts. Perhaps more concerning, 45% of people do not change their stolen password even after a breach has occurred.

If you even suspect your password may be compromised, there is no harm in updating it to a new one – especially if the original (or any variation) is used across multiple logins. When it comes to good password hygiene, do your best to avoid patterns, personal details, and, of course, recycling.

2. Make Use of Multi-Factor Authentication and SSO

If a cyber-attacker manages to obtain your username and password, multi-factor authentication (MFA) is another step of verification that can help prevent account compromise. MFA requires something you have (a code sent to your mobile device, for example) or something you are (biometrics, like Face ID) to confirm authorized access to an account.

Without clearly defined expectations of good password hygiene and the utilization of MFA included in an organization’s data security policy and procedures, credentials are more likely to be stolen and used by a cyber-attacker. Further, credentials may already be on the dark web without your knowledge. Once cyber-criminals have access to compromised credentials, they can then attempt to log into more valuable accounts, such as email or financial services.

In addition to MFA, single-sign-on solutions (SSO) provide an authentication process that enables users to access multiple related applications or systems securely, using one set of credentials. Organizations that invest the time and resources into implementing an SSO solution add another layer of security to protect accounts.

3. Stay a Step Ahead with Scanning

Compromised password scanning allows organizations to scan the dark web for stolen passwords or to enable breach notifications to be made aware of any leaked data. Early detection of password theft alerts administrators and employees to change their passwords (using strong credentials) before criminals exploit them. It allows you to identify potential breaches more quickly and take preventive measures. This is particularly important given that many users recycle their passwords, using the same password across many platforms. 

Especially if you are already aware of compromised credentials, conduct a scan for them on the dark web to see if there are any others you might not have known about, and sign up for data breach notifications to stay on top of it in the future.

Do a FREE search for stolen passwords to help prevent account takeover with a Compromised Password Scan from Defendify.

4. Accept Help from a Password Manager

Creating new, unique passwords for every online account can be daunting, especially considering we tend to underestimate how many accounts we own. Beyond the enterprise-level apps that might be standardized across your organization, each employee will likely have dozens more, whether they use them once a year or daily. Small businesses (1-25 employees) average 85 passwords per employee, while the average 250-employee company has approximately 47,750 passwords across the entire organization.

This is where password managers come in. Password managers like Keeper, 1Password, and LastPass, can help remove password obstacles for employees by creating strong, unique passwords for accounts while storing them in a secure vault, so you’re not stuck trying to remember each and every one.

When there is no need to remember multiple passwords, you are less likely to password recycle and can safely rely on autofill functionality for access to your accounts. Even if a password is eventually compromised, the user will have only used it once. In combination with MFA, password managers can help stop a breach in its tracks.

TL;DR

  • Stolen passwords will not just affect you as an individual; they can also compromise your entire organization by allowing attackers access to critical systems and data.
  • If you even suspect your password may be compromised, there is no harm in updating it to a new one that incorporates good password hygiene. 
  • Multi-factor authentication (MFA) is an additional step of verification that can help prevent account compromise.
  • Organizations that invest in a SSO solution add another layer of security to protect their accounts.
  • Password managers protect your organization’s information while removing password obstacles for employees.
  • Compromised password scanning allows organizations to scan the dark web for stolen passwords.

Resources & insights

Webinar
Cybersecurity Spring Cleaning: Keep Your Passwords Out of the Dark Web
As new beginnings come with the spring season, it's time to purge harmful password hygiene habits that can lead to your organization's credentials being caught up on the web.
Webinar
Why Do Cyberattacks Like the Colonial Pipeline Keep Happening?
How prepared are organizations against a cyberattack? The Roux Institute at Northeastern University hosts security experts from General Dynamics - Bath Iron Works and Defendify to discuss what cybercriminals look for, and what steps IT and security professionals can take steps to strengthen cybersecurity.
Defendify Championing ‘Identity Management Day’
Blog
Identity Management Awareness & Tips to Keep Passwords Secure
Defendify is proud to be listed as an Industry Champion in the second annual Identity Management Day,' an annual awareness event that will take place on the second Tuesday in April each year. The inaugural Identity Management Day will be held on April 12, 2022.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity.

Explore layered
security

Learn more about Defendify’s three key layers and All-In-One Cybersecurity.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.