How to Detect a Password Breach in Your Company

It’s no secret that in today’s information-rich society, data is often your organization’s biggest asset. It’s vital to keep your IT systems secure to protect that data from thieves and fraudsters,. But since most systems still rely on outdated authentication methods such as prompting for usernames and passwords, this is easier said than done.

One of the biggest problems is that in many cases, employees and customers continue using passwords that are not just easy for criminals to crack—they’ve actually already been compromised, in part thanks to people using the same password in many places. 

So how can you tell whether a user’s password is secure? How can you detect when a password breach happens? And how can you prevent these problems from happening in the first place? Read on to find out more.

According to the 2022 Verizon Data Breach Investigations Report, 82% of IT security breaches involve a human element such as phishing or stolen credentials, and there has been a 30% increase in stolen credentials in the past 5 years.¹ Lists of breached passwords are constantly circulating on the dark web, and security experts have reported files containing literally billions of passwords in plain text.²

Worse still, those lists are only going to get longer, because new password breaches are happening all the time. If you read technology news sites, it’s rare that a week goes by without a new story about credentials being leaked, exposed, or stolen. Many of us have received unsettling emails from online service providers warning that our personal information may have been exposed by an attack on their databases.

While there are numerous ways password breaches can occur, they generally fall into two categories: targeted attacks, where a criminal focuses on obtaining credentials to gain access, and automated attacks, which don’t deliberately target any particular user account or system but attempt to compromise on a broader scale.

Targeted attacks

Guesswork

When businesses don’t enforce sufficiently rigorous password rules, users often choose weak passwords that are easy for attackers to guess. For example, passwords based on a child or partner’s name or date of birth are easy targets. However, this type of breach does require the attacker to have some knowledge of the victim’s life, family, or interests, so it requires relatively high effort from criminals.

Industrial espionage

Despite the obvious security risk, users often write down passwords that they find difficult to remember and keep them close to their workstations. If an attacker can gain physical access to your facility, they can easily harvest these credentials for use in subsequent attacks. They could also potentially install keylogging software on your users’ PCs, allowing them to capture passwords as users type them.

Automated attacks

Brute-force Attacks

Attackers can use brute-forcing tools to test your authentication process by trying millions of combinations of usernames and passwords automatically. Combining these tools with the huge lists of passwords harvested from previous breaches that are available on the dark web can massively improve the odds of success—because despite all advice to the contrary, many people use the same password across some (or all) of their online accounts. This means that if even one of a user’s online services suffers a data breach and their password finds its way onto a password list, criminals can easily breach all of their other accounts, too. For a more in-depth look at brute force attacks, read this blog on everything you need to know about brute force attacks.

Phishing

Phishing is an example of “playing the man and not the ball”. Instead of attempting to steal passwords directly, an attacker using phishing tries to trick users into freely volunteering their username, password, and other personal information to the attacker. For example, an attacker could send an email that purports to be from the user’s bank and includes a link to a fake website that looks just like the bank’s login page. If the user falls for it and enters their username and password, the information is sent to the attacker, not the bank. 

Phishing attempts are often blocked by email services, yet even experienced users can be fooled—the success rate doesn’t need to be high for it to pay dividends. Automated tools enable attackers to send out millions of phishing emails every day, and if even a small percentage get through to vulnerable users, the scam will pay off.

Hacking

The most serious, high-profile, and embarrassing password breaches occur when attackers are able to break into company systems and access users’ password data directly. These days, it’s rare for companies to store passwords in plain text. However, if the passwords are hashed, once attackers get hold of the data, they can use automated tools to crack the hashes and obtain the original passwords.

In some cases, these types of breaches may leak thousands or even millions of passwords in a single attack, making them one of your IT security team’s worst nightmares.

Fortunately, the existence of breached password lists doesn’t only benefit attackers—these lists are also a key resource for building better password security. The best-known tool in this area is haveibeenpwned.com, a website that allows users to enter a password (securely!) and check whether it can be found in a gigantic list of breached passwords. This helps users decide whether their new password is likely to be a safe choice or whether it’s already been compromised.

Many identity management providers build a similar approach into their authentication tools. For example, when a user registers for a new account and enters the password they’d like to use, the tool automatically checks that password to see whether it’s already been revealed in a breach. If it has, the user is then prompted to choose a different, more secure password.

Automatically checking whether a password has already been breached is a good first step towards preventing malicious attacks and fraudulent activity such as account takeovers and identity theft. But preventing password breaches altogether is a more difficult problem.

At Ping, we believe the long-term solution is to phase out the use of passwords altogether. Modern passwordless authentication technologies can:

• Strengthen your security model—because if passwords don’t exist, there’s nothing for attackers to breach.

• Enhance your user experience—because users no longer need to remember complicated passwords or risk getting locked out of your systems.

• Reduce your IT costs—because helpdesk teams don’t need to spend time helping users with password resets.

If you’d like to learn more about how Ping can help you take your first steps towards a passwordless future, start here to get everything you need to know about passwordless authentication and how to make it a reality.

Sources:

 ¹Verizon. 2022 Data Breach Investigations Report. https://www.verizon.com/business/resources/reports/dbir

 ²CyberNews, “RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries”, https://cybernews.com/security/rockyou2021-alltime-largest-password-compilation-leaked/