Surge in compromised credentials highlights rampant cyber hygiene failings

Fingers typing on keyboard
(Image credit: Shutterstock)

Security experts have issued a warning over the growing scale of exposed account passwords after a repository of compromised credentials exceeded five billion records.

Authlogics, a UK-based provider of password security technologies for governments and large enterprises, revealed that its Password Breach Database exceeded the landmark number this month, highlighting concerning trends in password security.

The database run by Authlogics is the world’s largest repository of compromised password credentials, and the volume of exposed credentials has grown rapidly in recent years.

Authlogics said the database receives “more than 1 million updates every day”, with exposed credentials “responsibly sourced” from free resources in the public domain, such as online forums, torrents, paste bins, and dark web sites.

Steven Hope, product director MFA at Intercede and founder of Authlogics, said the recent milestone showcases the increasingly dangerous threat landscape organisations and individual users are forced to contend with.

“The fact that our database now stands at more than 5 billion records is not a good news story,” he said. “Our hope is that it shines a spotlight on the scale of the dangers organisations are exposed to.”

“Just one of these records has the potential to cause harm and it should be assumed that if we have been able to source the information, those with nefarious ambitions have done so too,” Hope added.

Password security in the spotlight

The issue of password security has been thrust firmly into the spotlight in recent months amidst growing cyber threats and several high-profile data breaches.

Research published this month by threat intelligence firm, SpyCloud, revealed that organisations globally still maintain a practice of rampant password reuse, which poses significant risks.

Nearly two-thirds (61%) of government users in the US and internationally with at least one password exposed in the last year still use those credentials for accounts spanning both their professional and personal life.

Additionally, the research found that many users still use passwords that are easy to guess or easily compromised, such as ‘123456’ and ‘password’.

Similar research from Ivanti this month found that generational differences with regard to password security highlight a concerning trend in this area.

Gen Z and millennial workers were found to be “less savvy” on password security than baby boomers or Gen X workers.

RELATED RESOURCE

Organisations seek SSE solutions to help ease pain of remote work

How ZTNA wins the network security game

FREE DOWNLOAD

“Gen Z and millennial government workers are more than twice as likely to reuse passwords between home and use the same password across multiple devices and logins,” according to Ivanti’s Government Cybersecurity Status Report.

“Employees in all industries and generations continue to use sticky notes, pet names, birthdays, and the favourite unbreakable code: ‘12345.’,” the report added.

Hope warned that while “everyone is aware of the password problem” the issue of compromised credentials shows little sign of abating.

“Approximately 80% of data breaches have their origins in weak, shared, and reused passwords,” he said. “The simple truth is if someone wants to exploit weak or compromised passwords it can be done with relative ease at low to no cost.”

Recent data breaches have also sparked discussions around password hygiene and security so far in 2023.

LastPass’ long-running data breach, first disclosed in August 2022, came to a head this month with the company’s disclosure that threat actors had infiltrated its systems and gained access to critical company and user data.

The incident raised fresh questions over password security practices and the growing trend of users relying on password managers to keep track of credentials for both personal and professional use.

Ross Kelly
News and Analysis Editor

Ross Kelly is ITPro's News & Analysis Editor, responsible for leading the brand's news output and in-depth reporting on the latest stories from across the business technology landscape. Ross was previously a Staff Writer, during which time he developed a keen interest in cyber security, business leadership, and emerging technologies.

He graduated from Edinburgh Napier University in 2016 with a BA (Hons) in Journalism, and joined ITPro in 2022 after four years working in technology conference research.

For news pitches, you can contact Ross at ross.kelly@futurenet.com, or on Twitter and LinkedIn.