Pwned Passwords can be the source of cybersecurity storms at organizations of all sizes. Here is why.

New cybersecurity threats are continuously emerging in light of our increasingly connected world, AI, 5G, and other enterprise trends. In this ever-changing landscape, there is one constant: passwords remain the primary authentication method for accessing corporate systems and applications—and employees are notorious for utilizing “pwned” passwords. (In cyber security, “pwned” is jargon that often means that your account has been taken over. A pwnedpassword means your password has been exposed and is ripe for takeover.)

Pwned passwords, or passwords that have been previously exposed in data breaches, represent a significant security vulnerability. These are real-world passwords that have already been compromised, making them unsuitable for ongoing use. The exposure of such passwords means they are at a much greater risk of being used by cybercriminals to take over other accounts.

Cybercriminals can easily access these compromised credentials via the Dark Web and utilize this information to infiltrate corporate accounts. This problem is compounded by password reuse, another prevalent example of poor employee security hygiene. When employees reuse passwords across multiple accounts, they inadvertently increase the risk of a widespread security breach if even one account is compromised.

To protect against such vulnerabilities, it is crucial for organizations to implement robust password management strategies. This includes encouraging the use of strong, unique passwords and adopting multi-factor authentication to add an extra layer of security.

91% of respondents in a recent survey acknowledge that reusing passwords across multiple work and personal related accounts introduces significant security vulnerabilities. Yet 59% admit to doing it anyway. They are ambivalent about the risk of pwned passwords.

Password reuse is not only common but also perilous. It’s often chosen for convenience, yet many users remain unaware of the severe potential impacts. This practice opens the door to attacks such as credential stuffing, where cybercriminals exploit reused credentials by automating login attempts. They use known email and password pairs to breach systems, taking advantage of the ease with which they can infiltrate accounts.

Incorporating these risky behaviors into everyday digital habits increases the susceptibility of both personal and professional data to breaches. Understanding and addressing these vulnerabilities is crucial in fortifying security protocols across all platforms.

The 2012 Dropbox breach, in which hackers obtained encrypted passwords for more than 68 million accounts, is an example of how devastating the effects of password reuse can be. As Dropbox put it in a blog post, “A stolen password was also used to access an employee Dropbox account containing a project document with user email addresses.”

The long-awaited Disney+ launch also exposed the risks with password reuse. An investigation found that less than 48 hours after launch, thousands of exposed Disney+ passwords and accounts were already for sale. Bad actors were able to access Disney+ accounts because so many of its users recycled passwords from their accounts on other sites, on their Disney+ account.

With new breach data coming to light on a daily basis, guarding against the use of pwned passwords requires constant vigilance.

As Enzoic stated in a Channel Futures article, “We recently spoke with a company that discovered that 4% of its uncompromised credentials become compromised within one month and this happened month over month.”

So, what should organizations do to eradicate the use of pwned passwords?

• Educate employees: Making password best practices a part of employee onboarding and ongoing training initiatives can help instill better security hygiene and discourage the use of weak passwords, password reuse, and password sharing.
• Adopt additional authentication measures: Two-factor authentication (2FA), adaptive authentication and biometrics are examples of additional authentication methods—check out our recent post on the benefits and drawbacks of these technologies here.
• Check for pwned passwords: NIST password guidelines recommend that organizations should verify that passwords are not compromised before they are activated, and also monitor them on an ongoing basis. For many organizations, automating this process is critical because of limited IT and security staffing.

The latter is the most crucial step companies can take in the fight against pwned passwords, as it essentially circumvents poor employee security practices.

To quote Enzoic’s Channel Futures article again, “It’s unrealistic for companies to expect password reuse to change on its own, but it’s also untenable for them to continue to allow the use of exposed credentials.”

By continuously screening all corporate passwords against our proprietary database of exposed credentials, Enzoic helps companies ensure pwned passwords remain where they belong—on Dark Web lists but never in use for enterprise systems and applications.

Tips on How Individuals and Organizations Can Protect Themselves From Pwned Passwords

1. How do I get a list of pwned passwords to screen my employee or customer accounts?  You came to the right place.  Enzoic has multiple tools available for organizations that want to screen accounts for pwned passwords or monitor passwords for any new data breaches.  Please review our solutions on www.enzoic.com to see which product works best for your use case.
2. What should you do if you password was found in a data breach?  Change your password on that account immediately.  If you reuse passwords across multiple sites, change that password on every other account and use unique passwords on each site going forward. Then monitor your accounts going forward to make sure they are not compromised. There are other options you can use as well, like using a password manager.
3. How Subscribing to Breach Notifications is Essential for Account Security?  In today’s digital landscape, protecting your online accounts is crucial. Subscribing to breach notifications plays a key role in safeguarding your personal information.  There are a number of identity theft protection products on the market that offer this service.  
4. How can 2 Factor Authentication help with Pwned Passwords?Enabling 2FA is crucial for bolstering your account security on sensitive accounts. By requiring not only a password but also a second form of verification, such as a code sent to your phone, 2FA significantly reduces the chances of unauthorized access. Practical Steps:
   • Enable 2FA: Activate 2FA on all accounts that offer it to protect sensitive information.
   • Securely Store Codes: Use a reliable password manager, like LastPass, to safely store your authentication codes and backup keys.
   • Regularly Update Methods: Stay informed about the latest in authentication technologies and update your methods accordingly.B
5. How Can Password Managers Help in Generating and Saving Strong Passwords? Safeguarding your online accounts is essential, and a password manager can be a powerful tool for individuals to enhance your security. Here is how they can help:
   • Automated Password Generation: Password managers automatically generate complex and unique passwords for each of your accounts. These passwords are typically lengthy, combining letters, numbers, and symbols to create a strong defense against cyber attacks.
   • Secure Storage and Organization: Once a password is generated, the password manager securely stores it in an encrypted vault. This means you don’t need to remember each password or waste time resetting them. Secure organization systems allow you to easily manage and retrieve your passwords when needed.
   • Convenience and Accessibility: Password managers streamline the login process with features like autofill, saving you time and reducing the hassle of manual entry. They are often accessible across multiple devices, so whether you’re on your computer, phone, or tablet, your passwords are always at hand, securely.
   • Enhanced Security Features: Beyond storage, many password managers offer additional security features. These can include alerts for weak or reused passwords and notifications if your credentials may have been compromised in a data breach, keeping you one step ahead in your online security endeavors.