Millions of Britons and hundreds of thousands of UK businesses are using cracked or weak passwords for online accounts, according to new research from the cyber security and data analytics company, CybSafe.
CybSafe conducted a blind-analysis of the passwords used by over 21,000 staff at a sample group of 250 UK companies for the prevalence of ‘exposed passwords’ – that is, passwords which have been previously compromised in data breaches. Comparing passwords from these accounts with data from haveibeenpwned.com – the data breach tracking website run by security researcher, Troy Hunt – the CybSafe investigation found that 47 per cent of UK businesses were employing staff with exposed passwords.
“The issue of exposed passwords is often not well understood by the general public,” explains Oz Alashe, CEO of CybSafe. “There’s a fairly common assumption that so long as you’re not using a short combination, like ‘123’, and/or an obvious combination, like the name of your child or a favourite football team, that you’re therefore safe.
“But complicated doesn’t always equal safe. Many don’t realise that their passwords have been compromised in old data breaches, and examples of exposed passwords aren’t always obvious. The password ‘ji32k7au4a83’, for example, may look like a safe and random combination of numbers and letters, but as analysis shows, this password has appeared in over 140 data breaches.”
The CybSafe team also examined the prevalence of ‘weak passwords’, which they classified as any passwords with an entropy below 60 bits, and found that 71 per cent of companies were employing staff with weak passwords. Collectively, CybSafe’s data indicates that 74 per cent of UK businesses are employing staff who are using vulnerable password combinations – either weak passwords, exposed passwords, or both.
“The prevalence of both weak passwords and exposed passwords pose an extraordinary threat to UK businesses through credential stuffing and brute force attacks,” adds Alashe. “The phenomenon of exposed passwords, in particular, is not a well-understood issue.
“Using strong, varied passphrases across different accounts is the most effective thing people can do to protect themselves and their company from experiencing a successful cyber attack. Leaders need to be thinking about the role that security training and awareness programmes can play in encouraging their people to adopt these best practices.”
Following the study, participants were informed if their passwords were found to be weak or exposed. Exactly two thirds of these decided to change their passwords.