How compromised passwords lead to data breaches

Data breaches have been in the headlines for several years, representing a rational fear for many organizations. A data breach is when someone — typically a hacker — gains unauthorized access to sensitive or confidential information. Hackers may do this for numerous reasons, including damaging the organization or its reputation, selling the retrieved data, or making a social or political statement.

Most data breaches seek personally identifiable information (PII), such as Social Security numbers or other official identity information, bank or credit card details, and passwords that they can use to either monetize the attack directly or indirectly by compromising adjacent financial accounts that rely on those stolen credentials. 

Additionally, there are two significant aspects that most breaches share:

  • Often, organizations only detect them months after they’ve occurred.
  • Compromised passwords are the primary cause.

In this post, we’ll examine how easily compromised passwords can lead to data breaches, go over some common password vulnerabilities, and ultimately review some best practices to keep your passwords and other sensitive data as secure as possible.

Data breaches from compromised passwords

Compromised passwords are a top contributor to many recent large-scale breaches. This is unsurprising, as a password is often all it takes to authenticate into a system, application, or data store. Once a user authenticates successfully, there is little recourse.

That’s not to discount recent cybersecurity advancements that seek to improve how we protect electronic data. Traditional data center security includes some key security architecture, including network connectivity firewalls, virtual private network (VPN) connections, and encrypted tunnels for remote access. However, weak user authentication renders these measures all but useless.

As such, password-based authentication methodologies become a prime target for hackers.

How often are passwords compromised?

So, how often do passwords become compromised? In brief, all the time. Below are just a few of the more well-known breaches whose common thread is a known password:

  • The 2021 TicketMaster breach is a remarkable example of how substandard practices (and illegal behavior) can breach corporate security. An employee who saved credentials from their former employer — a competitor — provided access to TicketMaster executives with these credentials, enabling them to retrieve confidential financial and operational information from the rival company. 
  • The root cause of the 2021 SolarWinds breach was a weak password on their prime software tooling: solarwinds123.
  • The New York City Law Enforcement Department was also a data breach victim. Attackers stole personal data from thousands of employees. This was possible after attackers stole one employee’s email account credentials.

The above examples represent only a few of the more well-known security breaches, but there are countless undetected or unreported security incidents for each known occurrence.

How do passwords become compromised?

There are many ways that bad actors can steal passwords. Moreover, they often use multiple strategies simultaneously.

Brute force

Brute force is the technique by which an attacker uses a “guessing” approach to determine a password for a system or user account. Cybercriminals often use robust scanning or password-cracking tools that enable looping through many possible password combinations. These tools address the common tendency to include birthdays, family members’ names, and pets’ names in created passwords.

Social engineering

The more a hacker can find out about their target, the greater the amount of helpful information there is to attempt to gain access. Consider the security questions you must answer when setting up a new account. Usually, answering these questions can help prove your identity to reset a lost or forgotten password. Most questions relate to your likes or hobbies (favorite car brands, travel destinations, visited cities) and family or pet names.

The “silly” games we play on social media are a way to obtain such data. Even games that don’t directly ask for this type of information understand what types of prompts will most efficiently garner responses.

In addition to falling victim to social media schemes, people tend to reuse passwords in multiple apps and accounts. This means that if one site’s credentials leak, malicious actors can use the same credentials to access several accounts belonging to each individual. 

Password theft 

Password theft is an umbrella term that takes many forms, including some of the previously mentioned scenarios. Complex passwords are more secure but challenging to remember but saving them in a sticky note or plain text file opens the possibility of password theft. 

Another common type of password theft occurs through spam and junk phishing emails, which involves deceiving users into clicking a link that leads to a phony but often realistic-looking version of a legitimate website. The fake website is typically just a form to capture the user’s credentials when they believe they are logging in to the site or resetting their passwords. 

How to prevent compromised passwords

Fortunately, there are plenty of ways to reduce the risks associated with compromised passwords.

Strengthening passwords with hashing and salting

In an ideal scenario, the password characters that a user enters are hashed and stored in a back-end identity database. Hashing encrypts a password into a string with a method that is extremely difficult to reverse engineer. The more complex the hashing mechanism (SHA, bcrypt), the harder it will be to break the code.
While this method is relatively secure, the encryption key used to hash passwords is static. This creates a vulnerability wherein deciphering the encryption key enables an attacker to decrypt any stored password. That’s where salting is useful. This process involves adding a series of randomly chosen characters to the password before hashing. This optimizes the security for the given credentials, as the hash will never be the same. 

Delete inactive accounts 

Moreover, it’s crucial to ensure you disable or delete inactive accounts. Leftover credentials are vulnerable targets for disgruntled employees or those with whom they may overshare. These unused accounts include employees who’ve left the organization but may also extend to those on temporary leave.

Additionally, integrating up-to-date security controls, such as validating security group memberships and ascribing to the principle of least privilege (PoLP), can significantly limit unauthorized access.

Use multi-factor authentication

Multi-factor authentication (MFA) dramatically improves the integrity of password-only logins. Whereas traditional authentication combines a username and password, MFA relies on an additional method to prove your identity. The desired combination includes factors based on:

  • Something you have (a mobile phone)
  • Something you know (a password)
  • Something you are (biometrics)

When you connect to an application (using a browser or a mobile app), using a powerful authentication solution typically follows this flow:

  1. You are initially prompted for a username and password.
  2. You then must validate using one or more factors, such as a one-time passcode (OTP) sent to your mobile phone or a fingerprint reader (or similar biometric method). 
  3. If any of the authentication steps are unsuccessful (for example, you cannot receive or read the one-time password, authentication will be unsuccessful until you can provide additional verification. 

Prevent credential stuffing attacks 

When a user’s account is stolen, it’s often the victim of a bot-powered credential stuffing attack. CAPTCHA challenges can be used to help combat bot traffic and attacks.

CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. Most people are familiar with the simple nature of these tests, but they pose a problem for most bots to solve.

In recent years, however, bots have become more adept at beating CAPTCHA tests in order to validate credentials and compromise accounts. Bots’ ability to consistently trick CAPTCHA stems from a key design flaw in the architecture –– the public key problem. Every major CAPTCHA system exposes its public key, making it easy for bots to scrape and submit the public key to one of these ‘CAPTCHA-solving-as-a-service’ companies.

Stytch has developed a CAPTCHA solution that removes the public site key from the equation, leaving users with the exact same experience, but making it impossible for bots to scrape and mass attack your application. If you’re interested in learning more about our stronger CAPTCHA solutions, you can talk to an auth expert to learn more about how Stytch can help you stop bots on your application.

Stytch’s password solution

Stytch recently launched a completely rebooted Passwords solution that innovates from the ground up to uplevel security and user experience and protect against data breach. 

Stytch’s Passwords solution also introduces novel security features like breach detection (powered by tools like HaveIBeenPwned) and a better strength assessment called zxcvbn (aka “lower qwerty”), which makes it easy for humans to generate passwords but hard for robots to crack them. We’re committed to making secure authentication that’s as frictionless as possible, so we leverage our Email Magic Link technology to reduce the steps from a traditional password reset.

Stytch also salts and hashes all passwords using Scrypt, before storing in an encrypted database that we manage. We wanted to ensure our Passwords solution is secure and built for performance — we decided on Scrypt in order to strike that balance.

Passwordless: the ultimate protection

Stytch offers a variety of solutions to ensure that password-dependent credentials are optimally secure. However, the ideal strategy for reining in password-related breaches is to remove passwords from the equation. Stytch’s passwordless approach is the ultimate weapon against compromised passwords, ensuring that your confidential information stays that way.

Stytch’s modular solution suite means that you can construct a passwordless approach best tailored to your product and your industry. For example, industries with stringent privacy standards such as Fintech and healthcare often benefit the most from enforcing OTPs as the primary mode of authentication and biometric validation or TOTP authenticator apps as the second factor.

The OTP provides security to the users, validating their identity by sending a message to their phone or email. This creates flexibility for the device type using the app. Biometrics, as the second factor, can be viewed as an additional layer of security, where the mobile app can only be opened and used from a given device.

For B2B saas applications like Slack and Microsoft Teams, it is often best to use a low-friction approach like Email Magic Links or OAuth. The email-based scenario provides an easy, low-friction authentication method, often used for full-desktop applications. Adding OAuth-based capabilities can also allow for single sign-on (SSO) integration with corporate credentials. 

Strengthen security with Stytch

Data breaches pose a tremendous risk for any organization, with compromised passwords proving to be a prevalent issue. Luckily, numerous scenarios are available to help optimize the security of your application or system and the integrity of your users’ account credentials. But ultimately, the best way to prevent password theft is to go passwordless. No master hacker can steal what isn’t there.

If you’re interested in learning more about how Stytch can help you maximize your password security or transition to a passwordless approach, discover our full suite of authentication products at Stytch.com.