CybSafe conducted a blind-analysis of the passwords used by over 21,000 staff at a sample group of 250 UK companies for the prevalence of ‘exposed passwords’ - that is, passwords which have been previously compromised in data breaches. Comparing passwords from these accounts with data from haveibeenpwned.com - the data breach tracking website run by security researcher, Troy Hunt - the CybSafe investigation found that 10 per cent of users had exposed passwords and that 47 per cent of UK businesses were employing staff with these exposed passwords.
Oz Alashe, CEO of CybSafe said: “There’s a fairly common assumption that so long as you’re not using a short combination, like ‘123’, and/or an obvious combination, like the name of your child or a favourite football team, that you’re therefore safe.
“But complicated doesn’t always equal safe. Many don’t realise that their passwords have been compromised in old data breaches, and examples of exposed passwords aren’t always obvious. The password 'ji32k7au4a83', for example, may look like a safe and random combination of numbers and letters, but as analysis shows, this password has appeared in over 140 data breaches.”
The CybSafe team also examined the prevalence of ‘weak passwords’, which they classified as any passwords with an entropy below 60 bits. Over a quarter (27 per cent) of those studied were found to be using these weak passwords, and over 71 per cent of UK businesses were found to be employing staff with weak passwords. Collectively, CybSafe’s data indicates that 74 per cent of UK businesses are employing staff who are using vulnerable password combinations - either weak passwords, exposed passwords or both.
“The prevalence of weak and exposed passwords pose an extraordinary threat to UK businesses through credential stuffing and brute force attacks,” adds Alashe. “The phenomenon of exposed passwords, in particular, is not a well-understood issue. Using strong, varied passphrases across different accounts is the most effective thing people can do to protect themselves and their company from experiencing a successful cyber attack. Leaders need to be thinking about the role that security training and awareness programmes can play in encouraging their people to adopt these best practices.”
Following the study, participants were informed if their passwords were found to be weak or exposed. Exactly two-thirds of these decided to change their passwords. We guess they then promptly forgot them and had to ring up tech support to ask for another.