Hacking-related data breaches leverage compromised passwords

Poor credential management opens the door to costly breaches and significant disruption. Here’s what you can do to prevent compromised passwords.

Credentials remain one of the most sought-after pieces of information for hackers, and it’s still proving to be effective in their attack efforts. This isn’t new information; compromised passwords have been attributed to third-party data breaches for years. But it should serve as a warning because the trend has continued to stay stagnant. How network credentials are managed directly reflects overall security. Secure credential management should always be in place for its users, whether it’s internal employees or third-party vendors that need access. Luckily, there are ways to take proactive measures to protect your network from those trying to exploit it. Before we dive into how to defend your network from bad actors, let’s take a deeper look at the consequences of poor credential management.

How compromised passwords lead to data breaches

According to the Verizon 2021 Data Breach Investigations Report, credentials are the primary means by which a bad actor hacks into an organization, with 61 percent of breaches attributed to leveraged credentials. Passwords, especially passwords with privileged access to organizational systems and networks, are targets for hackers since they’re able to get so much information from just one singular source. To put it simply, privileged credentials open a lot of doors. When the keys to those doors are mismanaged, a hacker has the potential to access a wealth of information and use it for malicious purposes, like leveraging confidential information for ransom payouts.  And, unfortunately, many organizations inadvertently mismanage these targeted credentials by distributing the same access and privilege across the board to admins, employees, and third-party vendor reps.

Were your passwords breached?

Getting a handle on if and when your organization has experienced compromised passwords is obviously essential, and timing is everything. Conducting frequent reviews to check password security and determine evidence of password hacking should be an ongoing security practice. The good news is that there are tools to help you check for a password breach and find compromised passwords. For instance, if your employees use Chrome for system access, Google’s Password Checkup tool can help you detect and address password data breaches. And, Have I Been Pwned can help by cross-checking employee credentials vs lists of database breaches. Of course, one of the most practical resources is employees themselves – ongoing training and education to boost awareness and engagement in password security best practices can go a long way.

How secure third-party remote access can prevent compromised credentials and data breaches

There’s a common misconception that third-party vendor access can be treated the same as employee access. When this myth is played out in the mismanagement of credentials, it can result in adverse consequences, especially considering that credentials permit access to all corners of a network. Neglecting the process of secure access management creates particular vulnerabilities in the case of third-party vendors and their access rights.  When managing third-party remote access, the only way to ensure a vendor doesn’t compromise your network credentials is to never give them out. Remote support solutions should mask your network credentials and inject them for the vendor so they never have to see login information. This feature also helps prevent “leapfrogging”, or the process of a technician launching additional connections from within the initial target host. If the technician is never aware of the password, they are prevented from trying to log into other systems with the same account.

Phishing and malware

One common way for hackers to compromise credentials is to use phishing. According to the same Verizon report, phishing activity was present in over one-third of data breaches. And due to that success, attackers seem to focus on more refined, targeted attacks (i.e. spearphishing) versus the mass broadcast general attacks. Attackers are more likely than ever to establish a foothold on your network via phishing methods. Organizations can defend against this attack method by strengthening their endpoint defenses to knock down the malware when it tries to infect and also by securing higher privilege credentials with technology.

Sharing and reusing passwords leads to data breaches

Sharing passwords among colleagues, both on purpose and on accident, can inadvertently lead to your credentials being compromised. Sure, you might trust your coworker to access important accounts, but that doesn’t mean the password is safe. The deeper issue of password habits is that far too many users continue to use outdated practices that place their security at risk (e.g., writing down a password on a sticky note or using easily guessed passwords). Keep in mind many people do not assume responsibility for having a weak, or crackable password. One of the most alarming aspects is that many people aren’t even aware of how risky their password behaviors are. If they are aware, they accept the risks and simply take the easier, less secure route.

How strong credentials avoid password data breaches

Shoring up password protocols plays a key role in mitigating compromised passwords. And password complexity is one of the most cost effective and simple ways for organizations to improve security. To help prevent password hacking, that means creating unique, long passwords (12+ characters) incorporating uppercase and lowercase letters, plus numbers and special characters. And of course, avoid common words and phrases.

Along with strong passwords, here are proactive measures and best practices to help avoid password data breaches:

  • Utilize reliable password managers.
  • Implement two-factor or multi-factor authentication.
  • If breached, all passwords must be reset. Merely suggesting this as a plan of action leads many consumers to ignore the suggestion. It must be required as a protocol. 
  • Never have the same password for all accounts/logins. That way if one of your passwords is stolen or misused, the bad actor only has access to one platform instead of all. 
  • Practice what you preach. All password best practices should be used by internal and external employees.

How to prevent and mitigate data breaches due to compromised passwords

Privileged credentials open a lot of doors that shouldn’t be open to most people, especially external entities like third-party vendors. If these credentials are mismanaged, stolen, or abused, there could be dangerous consequences for the organization and the third party involved.  If you want to reduce the risks associated with privileged credentials, start by taking back the keys to your network. Third parties can’t compromise passwords they don’t have. Ensure that both internal and external people who have access to your network are abiding by the password rules you have set, usually in adherence to different compliance standards or internal rules (i.e. resetting your password every 90 days, you can’t repeat the same password, and your password needs to include characters other than letters).

To learn more about how to protect yourself from data breaches tied to compromised credentials, even when granting third parties access to your network, download our vendor privileged access checklist that highlights exactly how you can ensure your vendors aren’t compromising your security.