Recently, the new draft of NIST guidelines was released and proposed a shift in password strategy from periodic changes with complexity requirements to use of a long "memorized secret.” Many organizations have forced regular password changes and password complexity but this has failed them.
In fact, based upon our analysis of enterprises who have downloaded Preempt Inspector to determine the quality of their organization’s password health, over 7% of employees are using compromised passwords from a previous breach and nearly 20% can be easily compromised. In this blog, we’ll dive into this as well as some of the other results we uncovered including shared passwords, how different organization types fare and more.
For some time, we’ve been discussing password strength and how critical it is for the overall security posture of an organization. To help security teams get ahead of this problem quickly, we developed Preempt Inspector as a free app to allow any organization to do an enterprise password assessment that provides them with reports that identify those accounts, which represent vulnerabilities so that they can take action to reduce their security risk.
Preempt Inspector Findings
Since launching Preempt Inspector, over 220 organizations have downloaded the app. Stats have been shared with us anonymously. Given that credential compromise continues to be a primary method for breaching organizations, we wanted to share the results of this data to show that weak passwords continue to be a big problem for enterprises and why getting a handle on it should be a top priority.
This infographic provides some of the highlights:
- An average of 7.34% of users have compromised passwords
Roughly 1 in 14 enterprise users use an extremely weak password that has appeared in previous password breaches. An interesting comparison to make is between this statistic and the percentage of breached passwords from public cloud service (e.g. LinkedIn), which was about 35%. A possible explanation is that Microsoft password length and complexity requirements force users to avoid some of the weakest passwords. For example, the 25 most common passwords in the LinkedIn password dataset will not comply with basic password complexity requirements (we should note that even complex passwords can be weak if they are on a password list).
- An average of 13.39% users have shared passwords
Password sharing is one of the biggest and unspoken issues affecting password quality. Users are sharing passwords with other users, teams and between services. When it comes to different users sharing passwords with each other, you expect to find different results but surprisingly, roughly 1 in 7 enterprise users share their password with other users in the same network.
Password Quality Issues
- An average of 19.1% users have password quality issues
Accounting for both shared passwords and compromised passwords, the average organization has 19.1% of users with password quality issues. This means that on average, roughly 1 in 5 enterprise users credentials could be easily compromised. This statistic highlights the fact that there are some users that are not only sharing passwords, but are sharing a password that has been compromised in a breach. While that overlap is small (less than 2%), these users have an even higher risk.
- Organizations with high percentage of compromised passwords also have a high percentage of shared passwords
It turns out some organizations are simply better at enforcing security standards. These organizations tend to have both a low percentage of users with compromised credentials as well as a low percentage of users who share a password. It is likely that if Preempt Inspector examined other facets of security posture (regular updates, effective configurations and effective permissions, as we do in our full Preempt solution), it would be the same organizations that consistently stand out with good security practices.
Size of Organizations in Relation to Password Health
- Bigger organizations have better security posture
We measured the average percentage of users with a weak password (compromised or shared) in each organization size and found that the bigger an organization is, the more secure their passwords are.
This is not surprising. It is safe to assume that large organizations have a dedicated security team that is in charge of IT security, educates users and sets strict password complexity requirements. This is very similar to our experience working with customers using the Preempt Behavioral Firewall, when we help them assess their security posture we often find that larger organizations are in better shape.
US vs Rest of World
- US-based organizations have better password quality
We divided the data into US-based enterprises (roughly 50%) and non-US enterprises. The results were perhaps a bit surprising, with US-based organizations having half the percentage of weak passwords. One assumption on why this is the case, is that the awareness of potential credential theft and cyber attacks is much greater in the US.
Preempt Inspector assessments combine password hashes from major breaches, such as those at Yahoo! and LinkedIn, with an exhaustive dictionary of compromised and weak credentials to identify potential risk to the organization.
The data collected includes password statistics from several countries (50% from the US) and a healthy mix of small (<100 users), medium (100-1000 users) and large (>1000 users) organizational networks.
Password quality is a complex attribute that consists of many facets:
- How long are passwords kept?
- Does the organization allow password sharing between employees?
- Or, between enterprise and external cloud services?
- Are there password complexity requirements in place? (Minimum password length, special character inclusion, etc.)
- Are employees educated about how to choose strong, effective passwords?
For Preempt Inspector, we chose to focus on facets of password quality that are often disregarded or ignored:
- Compromised Credentials - we define compromised credentials as passwords that exist in well-known password lists. To test this, we’ve created a password dictionary containing 10M of the most common passwords. In a previous blog, this dictionary was used to crack 35% of breached LinkedIn password hashes.
- Shared Passwords - we define shared passwords as passwords that are shared by different users (unless password is extremely weak, two users with the same password could not happen by accident).
Summary and What’s Next?
As cyber threats become more sophisticated, organizations need to take a proactive approach in securing their network. Oftentimes, small and medium organizations suffer the most from the cybersecurity skills gap, and therefore need easy tools to efficiently evaluate their cyber posture and readiness to face outside cyber threats.
Enterprises can download a free version of Preempt Inspector today. In the future, the Preempt Inspector app will continue to be enhanced to support more facets of an organization's security posture such as GPO analysis, effective permission and more. Stay tuned!
Do you know your company's organizational password strength?
Download this free app now to get ahead of the risk.