via The Hacker News
Weak password policies leave organizations vulnerable to attacks. But are the standard password complexity requirements enough to secure them? 83% of compromised passwords would satisfy the password complexity and length requirements of compliance standards. That’s because bad actors already have access to billions of stolen credentials that can be used to compromise additional accounts by reusing those same credentials. To strengthen password security, organizations need to look beyond complexity requirements and block the use of compromised credentials.
Need stolen credentials? There’s a market for that
Every time an organization gets breached or a subset of customers’ credentials is stolen, there’s a high possibility all those passwords end up for sale on the dark web. Remember the Dropbox and LinkedIn hack that resulted in 71 million and 117 million stolen passwords? There is an underground market that sells those credentials to hackers which they can then use in credential stuffing attacks.
How does credential stuffing work?
Credential stuffing is a popular attack method due to the minimal effort required for maximum financial gains; so much so that there has been six times as many credentials being stolen and sold in the last year alone. More and more of an opportunity for credential stuffing presents itself as the number of stolen credentials continues to grow with each new breach. It is estimated that 111 million cyberattacks occur each day. For every one million combinations of emails and passwords, attackers can potentially compromise between 10,000 and 30,000 accounts.
Attackers use automated tools to test the stolen credentials on numerous sites. To increase their chances of success while reducing the risk of detection, attackers utilize readily available tools that help them match passwords with specific websites. This can be especially easy if the password already contains the name of the website or application.
Sophisticated bots are a popular tool in this instance, allowing attackers to simultaneously run a number of login attempts, all of which look to originate from unique IP addresses. In addition to this anonymity, bots are able to overcome simple security measures, such as banning IP addresses due to a series of failed login attempts.
Once the login attempt proves fruitful, the attacker gains entry to the compromised account, granting them access needed to empty the account’s funds, steal sensitive information, send deceptive phishing messages or spam calls, or traffic the stolen data on the dark web. This type of attack has risen in popularity in recent years due to the sheer volume of users reusing passwords across multiple accounts. 44 million Microsoft users were found to be reusing passwords in one analysis over a 3-month period.
So, how can organizations defend against a growing threat? Just as reusing passwords across multiple websites increases the vulnerability of user accounts and complicates efforts to prevent unauthorized access, detecting compromised passwords promptly and notifying affected accounts is essential in decreasing credential stuffing threats against organizations and their users.
Find out if your credentials are compromised
At the time of writing, there are over 15 billion stolen credentials on the dark web. PayPal users infamously joined that list earlier this year when the platform suffered a significant credential-stuffing attack that impacted approximately 35,000 accounts. These breaches exposed sensitive information, including Social Security and tax ID numbers, dates of birth, names, and addresses. As is often the case in such attacks, many of these compromised accounts reused passwords from previous data breaches.