As we see play out in breach events year after year, the security of enterprise data and systems can often be undermined by something as simple as a compromised password. Despite the growing availability of new authentication methods and the aspirational drive toward a "passwordless" future—passwords continue to be a popular method of authentication—as well as a popular target for threat actors. Below are some recent incidents and statistics that shine a light on how frequently breaches involve compromised passwords:
- Google Cloud’s 2023 Threat Horizons Report found that 86% of breaches involve stolen credentials, and credential issues account for over 60% of compromise factors—which could be addressed by stronger identity management guardrails in place at the organization level.
- According to the 2023 Verizon Data Breach Investigations Report, 74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials, or social engineering. The report also found that web application attacks account for 25% of breaches, and consists largely of leveraging stolen credentials and vulnerabilities to get access to an organizations’ assets.
- In 2023, the American Bar Association disclosed a hack affecting 1.5 million members whose login credentials, including encrypted password data, had been compromised.
- Video game publisher, Activision, suffered an alleged phishing attack where an employee's credentials were obtained and subsequently used to infiltrate their system.
From phishing and malware, to the risky practice of password sharing, this article covers how hackers use compromised passwords, unveiling the ways in which they can lead to data breaches and highlighting their critical role in cybersecurity incidents. We will also explore proactive measures organizations can take, including the use of strong and unique passwords, password managers, and privileged access management solutions to protect against password-based threats.
What are compromised passwords?
Compromised passwords are passwords that have been exposed, stolen, or accessed by unauthorized individuals, often through security breaches or hacking incidents.
With the explosion of remote work, third-party vendors needing access, mobile adoption, and cloud deployments, the traditional network perimeter has dissolved and shifted to center around identity. The sharp increase of human and machine identities in recent years has vastly expanded the attack surface—with poorly managed credentials being one of the prime targets for threat actors.
The data is clear: compromised passwords and credential misuse are rampant in the evolving threat landscape. Whether it’s a lack of adequate password management, or simply employees using easy-to-crack, common passwords (123456, password, qwerty, etc.), there’s a real need for organizations to understand the most common methods passwords are compromised, and how to sufficiently prevent or mitigate credential-based gaps in your security estate.
How do compromised passwords lead to data breaches?
Simply put, compromised passwords lead to data breaches by providing unauthorized individuals or threat actors with access to sensitive accounts, systems, and data. These breaches often play out as part of a cyber attack chain (also known as the cyber kill chain). Password and credential management vulnerabilities, and the use of compromised passwords, can occur during every step:
- Step 1: Perimeter Exploitation - These are the early attempts to gain access to an IT organization systems and data, and could include use of stolen passwords, brute force password attacks, credential stuffing, and social engineering (phishing, etc.) to gain access to passwords and login information.
- Step 2: Privilege Hijacking and Escalation - Once the attacker is inside the organization’s systems, they will attempt to escalate privileges / hijack additional systems or accounts through numerous means, including credential exploitation. This could involve further brute force attacks, locating unsecured repositories of credentials, monitoring unencrypted network traffic to identify credentials, or changing permissions on existing compromised accounts.
- Step 3: Lateral Movement and Exfiltration - This stage is where the attackers move laterally from one system to another to gain access to privileged accounts, sensitive data, or critical assets. There are a number of ways to move laterally, including using compromised passwords to hijack more accounts, or using password cracking techniques. Once the attacker gains access to the organization’s sensitive data, they can sell it, use it for additional attacks, lock it off via encryption and ransom it, or openly distribute it to damage the organization. It’s also becoming common for a threat actor to sell the means of access to the organization’s network.
How are passwords compromised?
Passwords serve as a first line of defense against unauthorized access to sensitive accounts and information. However, despite their importance, passwords can be compromised through many methods. Common ways in which passwords are compromised include:
Phishing is a technique used by cybercriminals to trick individuals into revealing their passwords and other confidential information. Typically, this involves sending fraudulent emails, messages, or links to websites that impersonate legitimate entities, such as banks, social media platforms, or online services. These malicious communications often urge recipients to provide their login credentials under the guise of urgent matters, account verification, or security updates. Unsuspecting victims who fall for these scams end up revealing their passwords to attackers, who can then hijack their accounts.
Malware encompasses a wide range of software programs designed to infiltrate, damage, or gain unauthorized access to computer systems. Password compromise through malware often involves keyloggers, which are programs that record keystrokes on an infected device. When a user enters their password, the keylogger captures this information and sends it to the attacker. Additionally, malware can include password-stealing Trojans that directly target password data stored on a compromised device. Users who unknowingly download and install malware become vulnerable to having their passwords stolen and misused.
Reusing & sharing passwords
Using the same password across multiple accounts or between team members (also known as credential recycling) can significantly increase the risk of compromise. If any one of the shared accounts is compromised, attackers can attempt to use the same credentials to gain unauthorized access to other accounts associated with the same password. If a password of an employee’s personal account is compromised, this can present a risk to their workplace, if they have reused the password for corporate accounts.
Most multi-factor authenticators leverage an authentication token or cookie. Threat actors, in some cases, may be able to steal that authentication cookie to bypass authentication and hijack a user’s account. Over the past year, we’ve seen threat actors successfully social engineer help desks and wage MFA fatigue attacks to gain access to MFA systems. Once in, they can reset credentials or add their own authentication device. They can also attempt to escalate privileges and elevate their access to gain control over more sensitive resources or systems within an organization.
Attackers may launch brute-force attacks, attempting various combinations to guess passwords, credentials, and encryption keys to gain unauthorized access to systems. Traditionally, this was a time-intensive process for threat actors, but today, with advanced automation and even AI, cybercriminals can rapidly cycle through numerous password combinations, significantly increasing the speed at which they can crack passwords.
How do I check if my password has been compromised?
- Use breach notification services - Websites like Have I Been Pwned (haveibeenpwned.com) allow you to enter your email address or username to see if they have appeared in any known data breaches. If your credentials are found in breached databases, it's an indication that your password may have been compromised.
- Look for suspicious account activity - Regularly review your online accounts for any suspicious or unauthorized activity. Check for changes in settings, unfamiliar logins, repeated failed password attempts, or unexpected emails indicating account changes.
- Keep track of unusual emails - Be cautious of unsolicited emails requesting personal information or password resets. Verify the authenticity of such emails before taking any action.
- Check with service providers - Some online services notify users if they detect suspicious activity or potential compromises. Check with the service provider if they offer such notifications.
How to prevent passwords from being compromised
Maintaining a balance between security and usability is an ongoing challenge every organization should strive to get right. For instance, implementing overly stringent password policies, which introduce hurdles for end users, may lead to user resistance or increased support requests. Additionally, the human element remains a vulnerability, as employees might fall victim to phishing attacks or inadvertently share passwords, underscoring the ongoing need for comprehensive cybersecurity education and continuous monitoring.
Here are some security best practices to prevent password compromise and protect against password-based attacks:
Use strong, unique passwords
Create passwords that are complex, containing a mix of uppercase and lowercase letters, numbers, and special characters. Avoid using easily guessable information like birthdates or common words. Ensure each account has a unique password, and make sure users aren’t sharing accounts or passwords.
Implement multi-factor authentication (MFA)
Enable phishing-resistant MFA wherever possible. This adds an extra layer of security by requiring an additional form of verification, such as a code sent to your phone, in addition to your password. Two-factor authentication has become a standard for managing access to organizational resources. In addition to traditional credentials, like username and password, users have to confirm their identity with a one-time code sent to their mobile device or using a personalized USB token. The idea is that, with two-factor (or multi-factor) authentication, guessing or cracking the password alone is not enough for an attacker to gain access.
Enforce the principle of least privilege (PoLP)
Limit access to sensitive assets throughout your digital estate. Granularly provision, restrict, and lock-down access based on need and context.
Use a password manager(s) to secure all employee passwords
A global study found that only 34% of users across the globe use a password manager, while only 25% of users across the globe (and 32% of Americans) are required to use a password manager at work. Implementing a password manager in your organization can help improve security in a number of ways, such as by auto-generating and storing complex passwords for your users, making it easier to manage strong and unique passwords at scale.
Additionally, privileged credentials, the most important credentials to secure, require special protections: they need to be rotated and changed frequently (after every use for highly sensitive credentials), automatically injected into critical resources or systems, and never directly visible or known to the end user. Their use also requires strong oversight, which entails implementation of privileged session monitoring and management capabilities.
Follow standard system hardening best practices
Keep your operating systems, applications, and security software up to date, such as by patching vulnerabilities. Avoid using public Wi-Fi networks for sensitive activities like logging into accounts, as they may be less secure. Remove or disable unnecessary applications and functions to further minimize the attack surface.
How to prevent privileged password compromise and protect against password-based attacks with BeyondTrust
Privileged credentials are the organization’s most sensitive secrets, providing privileged access for critical accounts, applications, and systems. However, the line between privileged and unprivileged accounts and access is becoming increasingly blurred. While traditional privileged accounts remain a core focus, business accounts, particularly with cloud-based access, increasingly involve sensitive activities and access.
BeyondTrust Password Safe, a leading privileged account and session management (PASM) solution, not only protects traditional privileged passwords and accounts, DevOps secrets, and SSH keys, but also provides the capability for securing workforce passwords (for employee business application accounts) and more.
- Discovers, onboards, and manages (rotates, etc.) privileged accounts and credentials (including SSH keys, tokens, and certificates) for humans and machine identities at enterprise scale
- Secures DevOps secrets to support SecDevOps across CI/CD pipelines and use of DevOps toolsets
- Secures Workforce passwords for employee business applications to extend broad enterprise identity protection across various teams and users
- Manages and monitors privileged sessions, providing an unimpeachable audit trail of privileged activity
- Helps prevent and protect against account hijacking, credential re-use attacks, exposed hardcoded passwords, lateral movement, privilege escalation attacks, and more.
Contact us to learn more about how BeyondTrust can help you safeguard your organization against identity-based threats.
More resources to help you protect against password & identity-based attacks
- Privileged Password Management Explained (Whitepaper)
- Tech Talk Tuesday: Privileged Account & Session Management and Third-Party Access Control (Webinar)
- Password Cracking 101: Attacks & Defenses Explained (Blog)
- Why Privileged Password Management + Secrets Management in 1 Tool is a Big Win for Enterprises (Blog)
Allen Longstreet, Content Marketing Writer
Allen is a content marketing writer at BeyondTrust. He has a wealth of experience building content strategy for tech start ups and SAAS businesses. He has a passion for video production, creative storytelling, and the intersection between the two.