Many major stories about cyberattacks or data breaches have one weak link in common: passwords. Oftentimes, the simple alphanumeric password that acts as gatekeeper to our personal phones and email accounts is the same one that protects enterprise businesses’ servers. And passwords are only as strong as we make them.
Unfortunately, though, most employees—76 percent of Americans, according to research we conducted in 2022—never change their passwords, or only do so when forced to. These users may be the employees of companies who are a vendor to your company.
One common password, either easily cracked or used repeatedly across multiple sites, could be the entryway for malicious actors into your supply chain and company’s data. Exposed credentials have been at the center of headline-grabbing events such as the Nobelium attack and the SolarWinds breach. In addition, Bitsight research found that over 25 percent of the S&P 500 and half of the top 20 most valuable public U.S. companies had SSO credentials for sale on the dark web in 2022.
In this blog, we share the findings of our research around password usage, contextualize the importance of passwords to vendor risk management, and provide tips on password security.
The state of passwords
Anecdotal evidence tells us people share their passwords. Whether it’s friends sharing a Netflix login or a single user sharing the same password across multiple sites, we all instinctively know that credential sharing is a fact of our digital lives.
But is this common knowledge based in actual fact? We surveyed over 1,000 American internet users in 2022 to find out, and the answer, in a word, is yes.
As can be seen below, a third of those surveyed only change their passwords once or a few times each year. Meanwhile 76 percent only change their passwords when reminded (or forced) to:
These findings can be extrapolated to an organization’s supply chain: some vendors may reuse passwords or neglect credential security in accounts that could grant access to your network.
IBM’s Cost of a Data Breach report found that stolen or compromised credentials were the primary attack vector in 19 percent of breaches in 2022, similar to the year before. Breaches caused by stolen or compromised credentials had an average cost of USD $4.5 million and the longest lifecycle—243 days to identify the breach, and another 84 days to contain it.
All of our personal practices around cybersecurity ultimately form the behaviors we carry into our work practices, even more so with a distributed workforce.
Attackers usually don't break in, they log in
Security incidents don’t always come in the form of sophisticated attacks, but rather phishing or social engineering campaigns that manage to steal credentials.
So how can you improve password security? By diligently maintaining controls and focusing on the essentials—including continuously monitoring for exposed credentials and enforcing controls preventing password reuse—organizations can reduce the risk of breach.
Preventing credential exposure is a twofold initiative, where you implement and reinforce password security policies internally and externally across your third-party supply chain.
Password best practices for your organization
1. Replace passwords with passphrases
Cybercriminals have gotten good at cracking passwords like “123456” and “asdasd.” Encourage longer and more complex combinations as part of your password policy, with passphrases at least 16 characters long that are harder to predict.
2. Ban the usual exposed passwords
Use annual collections of exposed credentials to ban those combinations in your network, and reinforce the use of random letters, numbers and symbols. In addition, demand that users change their passwords immediately if a provider discloses a data breach.
3. Prevent password reuse
Enforce the use of strong and unique passwords or passphrases on personal and corporate accounts, especially for business apps dealing with sensitive data.
4. Promote the use of password managers
One of the biggest pain points for users is having to remember different passwords for multiple services. Password managers simplify the task with one master password that opens the vault, making logins simple and secure.
5. Use multi-factor authentication (MFA)
Multi-factor authentication adds additional layers of protection to complement passwords with biometrics, security keys, or one-time codes through a mobile app. MFA is free, easy to implement, and available on most web services and applications.
Password best practices for your vendor ecosystem
1. Audit your third-party vendors with security questionnaires
Assess, monitor, and reduce your third-party vendor risk by fully understanding their security posture and holding them accountable to your standards. Take your password policy into account in your due diligence and initial risk assessments.
2. Use continuous monitoring to detect credential exposure
Breach alerts and security rating vectors can detect leaked credentials and changes in the security performance of your vendors. If a breach or zero day vulnerability is disclosed, act fast to determine if you’re vulnerable and ask for additional reassurances. Bitsight continuous monitoring and third-party vulnerability detection & response capabilities can make this job easier, detecting gaps and facilitating quick remediation.
3. Offboard vendors when your contract is over
“Ghost accounts” are those that security processes often neglect to delete, but still grant access to company data. Integrate this task into your vendor offboarding process, making sure no third party has access to your network when they no longer need it.
A third-party data breach or vulnerability within the supply chain can happen to any company at any time. If or when it does, Bitsight third-party vulnerability detection & response empowers organizations to take action at a moment’s notice, with quick vendor outreach at scale, tailored exposure evidence, and easy tracking of responses to critical vulnerabilities through templated questionnaires.
Password security is key, regardless of how you create, manage, or share your credentials. This survey sheds light on the need for organizations to view passwords more broadly, especially as remote work and cloud access expand.