The password hygiene message still isn't getting across to consumers
According to a new report from SpyCloud, 70 percent of breached passwords are still in use and 64 percent of consumers repeat passwords across multiple accounts.
Researchers identified 1.7 billion exposed credentials, a 15 percent increase from 2020, and 13.8 billion recaptured personal identifiable information (PII) records obtained from breaches in 2021.
There's been a four point increase in password re-use over the 2021 report, reflected in the ease with which attackers can use one stolen password to compromise multiple accounts. More than 82 percent of the reused passwords analyzed consisted of an exact match to a previous password, and 70 percent of users tied to breaches last year and in earlier years are still using an exposed password.
"Reused passwords have been the leading vector in cyberattacks in recent years, and the threat of digital identity exposure is a growing problem." says David Endler, co-founder and chief product officer of SpyCloud. "The findings of our annual report show that users are still not taking password security as seriously as they should. The threat of account takeover is not enacting wholesale improvements to consumer cyber hygiene, and that's an alarming thought given the frequency of digital identity fraud."
The report also identifies a strong correlation between current events and chosen passwords. Report data showed passwords tied to numerous TV shows and movies in 2021, as well as pop and sports culture, including Britney Spears, the COVID-19 pandemic and Major League Baseball World Series Champion the Atlanta Braves.
Among other findings, SpyCloud discovered 611 breaches containing .gov email addresses -- 81 percent of the overall total breach sources recaptured. In total, the team found 561,753 credential pairs (email addresses and plaintext passwords) from government agencies internationally.
Endler adds, "The best defense to safeguard your company, customers and employees is to protect users from themselves by preventing them from selecting previously exposed passwords upon account creation or account password change, and monitoring for third party exposed credentials and resetting them as quickly as possible after an exposure."
You can read more in the full report on the SpyCloud site.