Password security: why standard policies are not enough

Weak password policies leave organizations vulnerable to attacks. But are classic password complexity requirements enough to protect them? 83% of compromised passwords would meet the complexity and length requirements of the compliance rules. This is because bad actors already have access to billions of stolen credentials that can be used to compromise additional accounts through reuse of the same credentials. To strengthen password security, organizations must look beyond complexity requirements and block the use of compromised credentials.

There is a market for stolen credentials

Every time an organization suffers a breach or a subset of customer credentials are stolen, there's a strong possibility that all those passwords will end up for sale on the dark web. Remember the Dropbox and LinkedIn hack that led to the theft of 71 million and 117 million passwords? There is a black market that sells those credentials to hackers who then use them in "credential stuffing" attacks.

How credential stuffing works

“Credential stuffing” is a popular attack method due to the minimal effort required to achieve maximum financial gain; so much so that in recent years six times as many credentials have been stolen and sold. The more stolen credentials grow with each new breach, the greater the opportunity for credential stuffing. It is estimated that 111 million cyberattacks occur every day. For every million email address and password combinations, attackers can potentially compromise between 10,000 and 30,000 accounts.

How to defend yourself from this threat

Just as reusing passwords across multiple sites increases the vulnerability of user accounts and complicates efforts to prevent unauthorized access, promptly identifying compromised passwords and notifying affected accounts is critical to reducing credential stuffing threats against organizations and their users.