How Are Passwords Stolen and Why?

How Are Passwords Stolen and Why?
How Are Passwords Stolen and Why?

As new beginnings come with the spring season, it’s time to purge harmful password hygiene habits (and old passwords) and make room for robust password hygiene and multi-factor authentication (MFA) tools.

Without good password hygiene integrated throughout an organization, companies are more susceptible to an easily avoidable cyberattack. In addition to poor password hygiene, many organizations do not deploy a stolen password scanner to check for stolen passwords or use MFA, which protects accounts by requiring multiple verification methods for the many applications needed throughout the business.

How Are Passwords Stolen?

Cyber attackers frequently target and attack email accounts, websites, and app databases. It’s often not a question of if a large website will be breached; it’s when. Once attackers are in the database, they have access to all emails, passwords, and other sensitive information. According to a recent study, there are more than 15 billion stolen passwords on the dark web.

Poor password practices allow attackers to use compromised credentials to attempt to log into more valuable accounts, such as email or financial services. For example, a hacker gets into an employee from the finance departments’ account and re-routes customer payments. In some of the latest malicious acts, attackers have moved down the pipeline – stealing sensitive customer data.

According to 2019 Breach Alarm some one million passwords are stolen each week. Stolen passwords occur when there is a breach of a credential database for a website or application. They can also be stolen when an employee clicks on a phishing email and enters credentials into a fake website. Keystroke loggers are also common. This action records or logs keystrokes covertly, so keyboard users are unaware they are being monitored.

The password conundrum

Most people cringe when they have to reset their passwords. Passwords are hard to come up with, so we try to devise ways to make them easier to remember. These shortcuts can give attackers the keys to the entire kingdom.

The Information Security Office (ISO) recommends using long, complex, and unique passwords or passphrases to help prevent accounts from being compromised. But according to the Ponemon Institute, 53% of users depend on memory alone to manage their passwords – difficult to do when following best practices to make passwords complicated.

Passwords are often stolen simply because of poor password hygiene – which comes in many different forms.


Poor password hygiene looks like:

Patterns – changing numbers or parts of the password rather than creating a unique password.

  • Common patterns – qwerty, 123456! @#$%
  • Changing one character when updating
  • Sequential number increases (from 12 to 13) or adding a number (from 123 to 1234)
  • Repeating characters
  • Special character substitutions (A to @, E to 3, S to $, I to!, etc.)
  • Single dictionary words: (football, princess, sunshine, dragon, monkey, hockey)

Frequently used passwords: 123456, 123456789, qwerty, password, 111111, 1q2w3e, letmein, iloveyou

Personal details: Significant names, dates, hobbies, sports teams, addresses, phone numbers, and other common data are easier to guess with “open-source intelligence gathering.” A cyber attacker can quickly obtain this information by browsing a social media account.

Password recycling is also a contributor to poor password hygiene. In a SecureAuth survey, 62% of respondents claimed to use the same password across three to seven different accounts. We use many different programs at work, and it can be tempting to reuse the same password for some or all of the accounts. Password recycling opens up cascading risks. If one account is hacked, attackers essentially have a master key into any other account that uses the same password. Using unique passwords and 2FA for each account you hold is best to avoid this chain reaction.

Low Adoption of MFA

Multi-factor authentication is a great way to shore up your identity, credentials and passwords. MFA is something you have, like a personal identification number, password or smartphone or something you are, as in the case of biometrics like facial recognition.

If a cyber attacker does get access to your credentials, MFA is another step in verification that can help prevent account takeover. Oftentimes, organizations place convenience over security when they elect not to mandate MFA in their data security policy and procedures. While that practice is easier, it’s also riskier.

There are many different types of MFA available:

  • Hardware tokens
  • Authenticator apps/tokens (TOTP – time-based one-time passcode)
  • Push notification
  • SMS verification
  • Emailed codes
  • Security questions to verify identity (What was the first car you drove? Name of your first pet?)

What Are Password Attacks?

There are many different types of password attacks – which can target different facets of your organization. For example, the Adobe breach, which affected an estimated 150 million accounts, was a method used to gain access to email, banking, customer databases, intellectual property, and other information.

Breaches that lead to credential stuffing (also known as breach replay, list cleaning) attacks use exposed password-username pairs, trying them against multiple websites and directly exploiting the problem of password recycling.

Dictionary attacks are a technique based on executing all the strings in a pre-arranged listing. These attacks originally used words found in the dictionary (hence the name) but now have expanded with more extensive lists available on the internet, including pets, movie/book characters or quotes, pet names, sports teams, and current year/season (Spring2022!).

In a brute force attack, the attacker submits as many passwords as possible or passphrases with the hope of eventually ‘guessing’ correctly, often using automated tools. They begin their crusade with common passwords, dictionary words, and more.

Open-Source Intelligence gathering collects information like names, dates, hobbies, and interests from social media, trying different combinations of that data – Pet’sNameBirthYear, Kid’sNameKid’sBirthday, SportsTeam! – to gain access.

Poor Password Hygiene Affects Everyone

According to the Verizon 2021 Data Breach Investigations Report, credentials are the primary means a bad actor hacks into an organization, with 61 percent of breaches attributed to leveraged credentials.

Compromised credentials won’t just focus on an individual; they can affect the entire organization. One single data breach can allow attackers access to critical data/systems throughout an organization. Without clearly defined expectations of good password hygiene and the utilization of MFA included in an organization’s data security policy and procedures, credentials are more likely to be stolen and used by a cyber attacker.

The Best Cybersecurity Spring Cleaning Solution

With cyber-attackers looking at every angle to gain access to your network, systems, applications, and processes, it takes a comprehensive, all-in-one cybersecurity process that includes tools for continuous protection. The Stolen Password Scanner, which automatically searches the Dark Web for employee email addresses and then reports any compromised passwords associated with an employee, is one effective method to identify potential breaches before they have more widespread consequences.

Clear and established Technology and Data Use Policies, which focus on password hygiene and other cybersecurity best practices, combined with education and awareness through classes, videos, posters, and different strategies, can proactively alert the organization of potential shortcomings or breaches before they infiltrate.

With tools like Threat Alerts to receive data breach notifications, Cybersecurity Health Checkup, Penetrating Testing to look for default or common passwords, and the Stolen Password Scanner, you’ll have a complete compendium of integrated solutions to stay ahead of all your cybersecurity challenges.

Resources & insights

Why You Could Be Denied Cyberattack Insurance Coverage
Blog
Why You Could Be Denied Cyberattack Insurance Coverage
As you’re working toward achieving robust cybersecurity, the subject of cyber attack insurance coverage is sure to enter the discussion. Maybe you’ve already delved into this topic, as cyber insurance has become an essential cornerstone of every information security program. Many overriding factors will affect your ability to obtain and retain the coverage you need at a reasonable rate—and a successful approach is tied closely to a comprehensive cybersecurity posture.
Cost of a Cyberattack vs. Cybersecurity Investment
Blog
Cost of a Cyberattack vs. Cybersecurity Investment 
Detailing the cost of a cyberattack versus the ROI of a cybersecurity investment enables leadership to see cybersecurity solutions are worth it.
Defendify Listed as a High Performer in Six G2 Grid Categories
Blog
Defendify Listed as a High Performer in Six G2 Grid Categories
The Defendify Cybersecurity Platform has been listed as a High Performer in six Summer 2022 Data Security Software Category Reports on the technology review site G2.

Protect and defend with multiple layers of cybersecurity

Faster. Smarter. Stronger.

Explore layered
security

Learn more about Defendify’s three key layers and All-In-One cybersecurity.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.