"Your Information Technology Leader"

Client Portal Payment Portal

Blog

InTegriLogic Blog

InTegriLogic has been serving the Tucson area since 1999, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.

How to Keep a Company Password Safe & Off the Dark Web

Take Sensible Precautions and Set Strong Password Policies or Pay the Price

What’s the fastest way for a cybercriminal to get into a company’s environment and cause chaos? If you answered “a stolen legitimate password”, you’re right. Cybercriminals love nothing more than getting their hands on an employee password that lets them slip into systems undetected to steal data, deploy ransomware or work other mischiefs – especially a privileged administrator or executive password. Unfortunately for businesses, bad actors can often accomplish their goal without phishing. It’s become easier than ever for them to make that dream a reality thanks to the boatload of password data that has traveled to the dark web. But there are a few things every organization can do to keep their company passwords safely in-house instead of on the dark web.

Dark Web Data is the Reason That It’s Always Password Season

The dark web has always been a clearinghouse for passwords. As the years have gone by, more and more stolen records, passwords, financial information and other data has made its way to the dark web through myriad data breaches. It’s a vicious cycle. Every new breach brings a fresh influx of data into the pool, and every influx of data can spawn a new breach. This pattern will keep on repeating, making the danger of credential compromise bigger every year. Credentials were the top type of information stolen in data breaches worldwide in 2020, and cybercriminals were quick to capitalize on their successes. An estimated 20 billion fresh passwords made their way to the dark web last year.

This year’s giant influx of fresh passwords from events like the RockYou 2021 leak just keeps priming the pump for new cybercrimes, especially password-fueled schemes like credential stuffing, the gateway to all sorts of bad outcomes like ransomware, and business email compromise, the most expensive cybercrime of 2020. Earlier this summer, the personally identifying data and user records data of 700M LinkedIn users appeared on a popular dark web forum – more than 92% of LinkedIn’s estimated total of 756M users. That created an enormous splash that will ultimately ripple out into a whole new world of opportunity for cybercrime.

Big companies aren’t doing any better. In a 2021 study, researchers found the passwords for 25.9 million Fortune 1000 business accounts floating around on the dark web. If cybercriminals felt like they really needed a privileged password to get the job done, that wasn’t a problem either. Credentials for 133,927 C-level Fortune 1000 executives were also accessible to bad actors on the dark web. Altogether, researchers determined that over 281 million records of personally identifiable information (PII) for employees of Fortune 1000 companies were readily available in dark web markets and dumps, making it easy for bad actors to find and use in hacking and fraud operations.

Reuse and Recycling is Killing Companies

Far and away, password reuse and recycling is the biggest obstacle that companies face when trying to build a strong cybersecurity culture and keep their data safe. An estimated 60% of passwords that appeared in more than one breach in 2020 were recycled or reused, a factor that every company should keep in mind when creating and setting password security policies. Employees aren’t making the mistake of reusing passwords from ignorance either. Over 90% of participants in a password habits survey understood the risk of password reuse but that didn’t stop them because 59% admitted to doing it anyway that disconnect is a huge problem for businesses everywhere.

Bad Password Hygiene is Putting Your Data in Danger

  • More than 60% of employees use the same password across multiple work and home applications.
  • 82% of workers admitted sometimes reusing the same passwords and credentials
  • 44 million Microsoft users admitted in a survey that they often use the same password on more than one account
  • 43% of Microsoft’s survey respondents have shared their work password with someone in their home for another use
  • About 20% of employees have reused their work password for online shopping, social media or streaming accounts
That sloppy password handling is directly responsible for data breaches. In fact, over 30% of the respondents in Microsoft’s survey admitted that their organization has experienced a cybersecurity incident as a result of compromised user credentials that had been shared with people outside their companies. That danger is has grown. People worldwide created an average of 15 new online accounts per person during the main thrust of the pandemic. That’s a lot of new passwords to create and remember. It also means that many more passwords were recycled or reused in 2020 than in past years making password exposure through cybercrime a strong possibility.

What Do Passwords Go for on the Dark Web Anyway?

It depends on the password, but stolen credentials can sell for a pretty penny. For a legitimate stolen corporate network credential, you’re looking at around over $3,000. But that is far from the top price a really useful password can fetch in the booming dark web data markets. Among the most valuable leaked credentials are those magic keys that unlock privileged access to corporate networks. Those types of credentials can go for as much as $120,000. That’s a price some cybercrime gangs will gladly pay to enable them to launch ransomware attacks that can fetch them millions in ransom money.

What You Can Do About It

Protecting business credentials from exposure on the dark web is an important part of creating a sturdy defense for any business. Encouraging safe password generation and handling policies helps build a strong cybersecurity culture that keeps information security risks at the top of everyone’s mind, encouraging them to practice good password habits.
  • Enable multifactor authentication
  • Never allow an employee to reuse or iterate a password
  • Configure software to make password reuse impossible
  • Require regular password changes
  • Make it standard to create a unique password for every account
  • Do not allow passwords to be written down or stored in text files
  • Use a password manager and make it available for employees
These may seem like commonsense procedures for people who regularly handle information security but making sure that everyone knows that the company takes password reuse and handling seriously gives employees a sense of how seriously they need to take it too. Do a little social engineering of your own to make sure that everyone feels like they’re part of the security team.

 
The Week in Breach News: 08/25/21 – 08/31/21
The Week in Breach News: 08/18/21 – 08/24/21

Customer Login

News & Updates

InTegriLogic is proud to announce the launch of our new website at www.integrilogic.com. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for ...

Contact us

Learn more about what InTegriLogic can do for your business.

InTegriLogic
1931 W Grant Road suite 310
Tucson, Arizona 85745

Copyright InTegriLogic. All Rights Reserved.