The Compromised Credentials Crisis: A Challenge Plaguing the Cybersecurity Industry

In today's interconnected world, businesses across the globe face a daunting challenge—the compromised credentials crisis. This pervasive problem affects all sectors, endangering sensitive data and posing substantial risks to organizational security. Ultimately, the compromised credential crisis threatens the financial health, stability, and brand equity of companies everywhere. What is contributing to this crisis, and what can business leaders realistically do about it?

Poor security hygiene and an expanding attack surface

After years of high-profile data breaches, cybercriminals have amassed databases of billions of account credentials and other personal information. What is driving the theft of these credentials? Poor security hygiene and an ever-expanding attack surface. These databases of stolen credentials, in turn, lead to more data breaches when employees fail to adopt better password hygiene (only half will change their password after a breach). Many employees need to improve their password habits. Password reuse across multiple accounts is common, and many people also create weak, easily guessed passwords. Their motivation may be benign - to make passwords easier to remember and use - but the results are problematic.  When it's easy for hackers to steal, guess or crack employee passwords, they can more readily access critical systems and take valuable data. Sometimes a simple password is all that stands between a hacker and a company's most significant assets. Data breaches seem inevitable when employees frequently mishandle passwords and companies fail to reinforce digital access points with added security measures. Moreover, the hybrid work environment combining remote and on-site workers and increased digital collaboration between employees and third parties have significantly amplified the number of credentials used across an organization. With so many entry points, including cloud services, email platforms, and third-party applications, the attack surface has multiplied. A rapidly increasing attack surface makes it harder to defend against cyber threats effectively, requiring new strategies and solutions.

The compromised credentials crisis in action

Phishing attacks (social engineering), malware infections, and brute force attacks represent the most common methods through which credentials hackers steal passwords. Phishing emails or messages cleverly impersonate legitimate sources, tricking employees into disclosing their login credentials. Once obtained, hackers can exploit these credentials to gain unauthorized access to corporate systems, causing substantial damage. Malware infections pose another significant risk. When employees inadvertently download or execute malicious software, keyloggers or password-stealing malware can capture login credentials and transmit them to attackers. Stolen credentials then compromise the security of individual accounts and the entire organization, potentially leading to data breaches and financial loss. Brute force attacks involve systematically attempting many password combinations until finding the correct one. This method relies on weak or commonly used passwords, which hackers can easily decipher when leveraging large databases of stolen passwords. With high-powered computers, cracking software can guess many weak passwords in seconds. A successful brute force attack then allows hackers to impersonate employees and infiltrate systems undetected, endangering sensitive data and compromising organizational security.

Combatting the compromised credentials crisis

To address the compromised credentials crisis, organizations must:

1. Accurately assess their current cybersecurity posture, including its strengths and weaknesses.
2. Reduce their reliance on passwords.
3. Enhance the security of every entry point to their digital assets.
4. Strengthen password security where they cannot eliminate credential-based authentication. 

Traditional security measures like single sign-on (SSO) and multi-factor authentication (MFA) are no longer sufficient to combat this crisis. Why? Because employees adopt an ever-changing roster of third-party apps and services to improve their productivity and performance in the workplace. Not every login will be vetted and provisioned by IT (shadow IT). That means adopting security solutions that provide security at the user level, no matter where the user is logging in from, and what they're logging in to. Passwordless authentication methods, such as biometrics (fingerprint, facial recognition) and hardware tokens, offer a more secure alternative to traditional passwords. These methods significantly reduce the risk of password-related attacks and enhance overall security by removing weak password habits and authenticating with data points that are much more difficult to steal or impersonate. In addition, organizations should implement a comprehensive security framework that includes continuous employee education and training programs. These programs emphasize the importance of strong, unique passwords, encourage the use of password managers, and guide employees in recognizing and avoiding phishing attempts.

Taking the next step

Companies must recognize the pervasive threat posed by the compromised credentials crisis in order to address it. When organizations are proactive about password security and data protection, they can better reduce the risk of data breaches and mitigate the potential damage of a successful cyberattack. Strengthening existing password security is a first step, but businesses that rely on fewer passwords will be better poised to navigate the cybersecurity challenges of the coming years. Learn how LastPass can help your business strengthen password security.