Last summer, hackers breached Colonial Pipeline using a compromised password, which they may have gotten from a dark web leak. Not all stolen passwords result in the takedown of the largest fuel pipeline in the U.S., but there can still be severe repercussions if your password is compromised. Compromised credentials will not just affect you as an individual; it can also compromise your entire organization by allowing attackers access to critical systems and data. In fact, credentials are the primary means by which a bad actor can hack into an organization, with 61% of breaches attributed to leveraged credentials. From compromised data and lost accounts to organizational downtime and compliance complications, stolen passwords open organizations up to significant risk. They require a plan to minimize potential fallout and avoid becoming a victim of cybercrime.
Unfortunately, it's no longer a question of whether a breach will occur but when. Without clearly defined expectations of good password hygiene and the utilization of MFA included in an organization's data security policy and procedures, credentials are more likely to be stolen and used by a cyber attacker. Further, credentials may already be on the dark web without your knowledge. Once hackers have access to compromised credentials, they can then attempt to log into more valuable accounts, such as email or financial services. So, if you have a stolen password, here's what to do about it.
When in Doubt, Change it Out
No matter your level of cybersecurity expertise, you are likely aware that compromised passwords are concerning. 92% of people know that using the same password or a variation is a risk, but 65% still use the same password or variations across accounts. Perhaps more concerning, 45% of people do not change their passwords even after a breach has occurred.
If you even suspect your password may be compromised, there is no harm in updating it to a new one – especially if the original (or any variations) is used across multiple logins. When it comes to good password hygiene, do your best to avoid patterns, personal details, and of course, recycling.
Make Use of Multi-factor Authentication
If a hacker manages to obtain your username and password, multi-factor authentication (MFA) is another step of verification that can help prevent account compromise by requiring something you have or something you are – biometrics – to confirm authorized access to an account.
In response to headline incidents last summer, President Biden included the implementation of multi-factor authentication as part of his executive order to improve the nation's cybersecurity. As MFA becomes more widely adopted, many sites have options for code generation applications or push notifications to a verified device to add an extra step of security that ensures the right person is logging into the account.
In addition to MFA, single-sign-on solutions (SSO) provide an authentication process that enables users to securely access multiple related applications or systems using just one set of credentials. Organizations that can invest the time and resources into implementing an SSO solution add another layer of security to protect accounts.
Accept Help from a Password Manager
Creating new, unique passwords for every online account can be daunting, particularly considering we tend to vastly underestimate how many accounts we truly have. Beyond the enterprise-level apps that might be standardized across your organization, each employee is likely to have dozens more, whether they use them once a year or every day. Small businesses (1-25) employees average 85 passwords per employee, while the average 250-employee company has approximately 47,750 passwords in use across the entire organization.
This is where password managers come in to protect your organization's information while removing password obstacles for employees. Password managers like Keeper, 1Password, and LastPass, can help you create strong, unique passwords for your accounts while storing them in a secure vault, so you do not have to remember each and every one. When there is no need to remember multiple passwords, you are less likely to reduce password recycling and can safely rely on autofill information to retain access to your accounts. Even if a password is eventually compromised, it will only have been used once. In combination with MFA – password managers can help stop a breach in its tracks.
Stay a Step Ahead with Scanning
Stolen password scanner tools allow organizations to scan the dark web for stolen passwords or enable breach notifications to be made aware of any leaked data. Early detection of password theft alerts administrators and employees to change their passwords (using strong credentials) before criminals use them and allows you to identify potential breaches more quickly and take preventive measures. This is especially important given that many users recycle their passwords, using the same password across many platforms.
Especially if you are already aware of compromised credentials, conduct a scan for them on the dark web to see if there are any others you might not have known about, and sign up for data breach notifications to stay on top of it in the future.
Something is Better Than Nothing
Having something is better than nothing when it comes to good password hygiene and recovering from a stolen password. There are several password managers and MFA options on the market. Find one that aligns with your organization's needs and provides ease of use to better secure your accounts. When compromised credentials are the primary means attackers can use to enter an organization, it's important to combine proactive and reactive strategies to ensure good password hygiene is practiced across the board to mitigate existing vulnerabilities and prevent future threats.