Death, Taxes, and Password Negligence: The Inevitability of Pwned Passwords

The internet security slang pwned-- pronounced ‘poned’-- is mainly used to indicate administrative control over someone’s computer account or computer. A password that has been pwned is one that has been compromised in some kind of breach, and it means that it’s no longer safe to use. Pwned passwords are what hackers use to compromise accounts--whether breaking into your bank account, or stealing your Netflix. Issues like password reuse and weak passwords are well known to hackers, who exploit human error to commit cyber crimes. Students, parents, employees, and network administrators alike are all guilty of engaging with bad security habits. It’s important to learn about these patterns so that we can tackle them together and help protect ourselves and each other. Three of the most common bad habits are: 

1. Using weak or already-compromised passwords

Even as alternative authentication methods become more available,
the password remains the most common authentication method at both the corporate and consumer levels. We enter passwords all day every day: clocking in to work, signing on to a Zoom call, or relaxing with a movie after work. Passwords are ubiquitous and likely to stick around.  

Of course, it’s difficult to remember unique passwords for all of your accounts and all of your devices. To make things easier on ourselves,
people choose weak passwords, like ‘password’ or common dictionary words like ‘football’ or ‘summer’ followed by easily-guessed number combinations like ‘2020’. These passwords are extremely
easy for hackers to guess. 

People also think that a slight change, of a few digits or characters, will throw off a hacker’s ability to guess the password, so they might change the letter ‘O’ to the digit ‘0’, or add an exclamation mark to the end of the password. Even if these tiny variations satisfy the ‘new password’ requirements, they also tend to follow simple patterns and are just as easy to guess.The revealed that 80% of hacking breaches were related to compromised passwords. This isn’t surprising: people are repeatedly choosing weak passwords, the passwords are guessed, and breaches occur. 

2. Password Sharing

In a small , 34% of respondents said they share passwords with coworkers. This is potentially indicative of a broader trend that folks--couples, families, etc.--share passwords. For coworkers, sharing passwords is most often done for convenience of collaboration. But there are many safer ways to do this that employees could be encouraged to use instead. Password sharing causes employers and employees to lose track of who has access to what document, network, and system. It also means people may retain access to sensitive information after leaving a job.

3. Password Reuse

Another enduring bad habit is password reuse.  It’s a natural experience to find it difficult to remember many unique passwords, but the unfortunate work-around that many people choose is a source of major security issues. This is the error of using the same password (or a near-exact variation) for multiple accounts, across multiple systems. It’s also common for people to use their favored password in both personal and corporate systems.We’re also not as clever as we think, and it’s likely that multiple individuals in a group will come up with the same password. So even if you haven’t personally used a password like ‘administrator123’ at work before, someone else might have done so. That person’s account can be breached and cracked, and then all related accounts are further endangered because passwords are generally ‘reused’ between many users.  This wide-scale reusing can lead to major breaches because of the chain reaction. For example, let’s say you use the password ‘S0ccer2020’ for your personal LinkedIn account, your shared family Disney Plus account, and your employee login. Then, let’s say that there is a breach at LinkedIn, and you find out that your credentials have been compromised. No problem, because you can just change your LinkedIn password, right? As you may have surmised: wrong. If you’ve reused your password, it becomes clear that every other account is in danger as well; in fact, it only takes a single compromised password to lead to, in this example, what could be an entire corporate takeover. Hackers exploit the common issue of password reuse all the time by using both credential stuffing and password spraying. . This free and secure service will check against billions of previously compromised passwords to see if yours has already been leaked. Another free option for that works across the organization is a to can scan all of Active Directory.Checking user credentials against a blacklist is also part of the newest , making it an even more applicable step to take within a company’s security protocols.The TL;DR 

1. Pwned passwords are incredibly common! 
2. Weak password choice and frequent password reuse are two main sources of user and system vulnerability.
3. In order to maintain better corporate and personal security, (a) use multi-factor authentication, (b) use a password blacklist service, and (c) educate yourself and others about best security habits for your work and home life.