The average password is reused 2.7 times
Despite the fact that credential stuffing using stolen passwords is one of the most common ways of breaching systems, new research from Balbix for this year's World Password Day finds that over 99 percent of employees reuse passwords across work accounts, or between work and personal accounts.
In addition the average password is reused not just once, but 2.7 times, and the average user is sharing eight passwords between all their accounts with 7.5 passwords shared between work and personal accounts.
The Balbix Threat Research Team randomly sampled data from more than 10,000 users across dozens of enterprise accounts representing every major industry. This data was fed into the cloud-based Balbix Brain, where risk likelihood and impact was calculated for every asset and attack vector, providing a prioritized view of the highest risk issues across the enterprise.
Although passwords are still a key part of most organizations' security they are an area where the business has relatively little control.
When targeting end user devices and accounts, such as SaaS and corporate intranet logins, adversaries rely on spraying perennial password favorites, very few of which change over time as lists of commonly used combinations show. The other main technique is credential stuffing using compromised passwords. With over four billion records compromised in 2019 across nearly 4,000 breaches hackers have plenty of material to work with.
The report's authors conclude, "Despite huge investments in user training, tools, and awareness passwords continue to be the Achilles Heel in most cybersecurity programs, leading to the vast majority of breaches. There aren't yet any complete password replacement technologies on the market, so unfortunately, passwords won't be going away anytime soon. That said, usage will continue to be adapted to make up for the shortcomings of the username and password combination."
The full report is available on the Balbix site.