Organisations that rely on password-based authentication to protect corporate accounts often focus security initiatives on ensuring passwords are long and strong in order to withstand a cyberattack. However, cybercriminals looking to gain unauthorised access may have an easier route available to them – they may be able to simply buy corporate credentials.
Employees who have previously had accounts with a service provider which has been the victim of a data breach may find that their passwords have been compromised. Credential pairs are in high demand among cybercriminal groups on the dark web, where they are regularly leaked and exchanged. These can then be used in credential stuffing attacks – attempts to exploit password reuse by guessing known credential pairs in login forms.
With almost 6 billion passwords leaked online in 2021, the threat is significant. However, even that figure fails to take into account the reason credential stuffing attacks work – most people reuse passwords for multiple applications. As a result, while 6 billion passwords were stolen, the number of accounts that can be compromised as a result will be much greater.
With many employees also using personal passwords at work, organisations which rely on credentials for authenticating users have a high likelihood of their corporate passwords being available for cybercriminals to purchase on the dark web.
How organisations are exposed to long-tail risk from credential reuse
Research from My1Login found that even among users who have received cybersecurity training, 85% of people reuse passwords, and 63% use personal passwords for business, greatly increasing the potential attack surface and vulnerability organisations have to credential stuffing attacks.
Wherever passwords are reused, the impact of a data breach can also be significantly larger, as one compromised account can lead to additional accounts becoming compromised.
Organisations that rely on password-based authentication are very likely to have accounts for corporate applications in use for which the credentials are published on the dark web and available for cybercriminals to purchase.
If accounts of former employees also remain active, the problem can be even more severe. In this case, even employees who have left the organisation long ago will still pose a risk to their former employers, as their old, active accounts could still be breached if the password is reused and compromised elsewhere.
Why mandating password change fails
One method that organisations adopt to mitigate the threat of compromised credentials is to mandate a password policy which requires passwords to be changed regularly. While IT can mandate and enforce this policy on on-premise applications that are within their control, this is not the case for third-party cloud apps which are outside the organisation’s direct control, and which typically make up the majority of enterprise apps. Password change can be effective at preventing credential stuffing attacks, but it is difficult to enforce and typically results in introducing other insecure practices, such as password reuse.
The main reason employees use weak credentials, or the same credentials for multiple applications, is that they are simply required to memorise too many of them. With the average person having over 100 passwords, adding a requirement to change them regularly makes an already-difficult task virtually impossible. To manage the sheer volume of apps, users will often resort to other insecure practices to address the problem, such as storing passwords in spreadsheets, or making minor adjustments such as incrementing suffixed numbers – tactics which are well-known to cybercriminals and taken into account when the attack is made.
How Single Sign-On solves the problem of compromised credentials
There is a strong likelihood that any organisation which utilises passwords to authenticate its employees will have credentials which can be used to access corporate data available for purchase. To mitigate the risk of this threat, many organisations are moving away from a reliance on end-user behaviour to protect the organisation against data breaches, and towards a system-driven approach by adopting technological solutions, such as Single Sign-On (SSO).
SSO removes the need for users to remember credentials, and therefore the human restrictions on the number and complexity of passwords. Some SSO solutions enable organisations to enforce strong password policies across all of their applications, even third-party cloud apps, and automatically generate high-entropy passwords for applications. Where an SSO solution has the ability to perform automatic password change on third-party apps, this can ensure that compromised credentials are no longer a threat.
SSO can also remove passwords entirely through passwordless authentication, making use of secure protocols such as SAML and OIDC to send secure tokens to authenticate users instead of credentials. Without the use of credentials to authenticate users, the threat of credential theft is removed entirely. Whether it be through automating credential-based authentication, or removing credentials altogether, Single Sign-On helps mitigate the risk of compromised passwords being used to gain unauthorised access to corporate data and protects enterprises from credential-related cyberattack.
Find out more on how organisations are protecting themselves against data breaches.
