Passwordless technology may be one of the most hyped categories in cybersecurity at the moment, but the reality on the ground is that passwords are still widely entrenched — and wildly insecure. Some 24.6 billion complete sets of usernames and passwords are currently in circulation in cybercriminal marketplaces as of this year, a report has found.
That’s four complete sets of credentials for every person on Earth and a 65% increase since the last time this study was conducted, in 2020.
The report from the Digital Shadows Photon Research team, "Account Takeover in 2022," shows that cybercriminals continue to profit handsomely from this reality with a record-breaking wave of credential thefts, account takeover attacks (ATO), and black-market sales of access to victim accounts.
Within the data set of credentials on the Dark Web, approximately 6.7 billion of the offerings had a unique pairing of username and password, indicating that the combination was not duplicated across databases. That's 1.7 billion more than what researchers found in 2020. The report shows that the markets selling these credentials are robust and sophisticated, with several subscription services emerging to offer criminal premium services for purchasing them.
'Endless List' of Breached Data
Further bad news for security folks is that many of the passwords examined in these stolen data stores were not very secure in the first place.
“Criminals have an endless list of breached credentials they can try, but adding to this problem is weak passwords, which means many accounts can be guessed using automated tools in just seconds,” says Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.
To wit: Nearly one in every 200 passwords found in the credentials offered for sale by criminals is 123456. Of the 50 most commonly used passwords in those collated for the report, 49 can be cracked in less than one second using tools also commonly available in underground forums. So whether a criminal buyer purchases a list of stolen credentials or a password cracker, accounts using only these credentials are extremely vulnerable to attack.
Passwordless to the Rescue?
This is just one in a multitude of reasons why security advocates and technology-standards organizations have been pushing so hard for more usable passwordless technology across the globe. According to a recent Dark Reading report, only 26% of IT decision-makers said they work in a passwordless organization, and 87% admitted they had at least one credential category that still depended on passwords.
The most common systems they wished they could authenticate without passwords were workstation logins, legacy enterprise applications, and cloud applications. And those numbers primarily focus on business accounts without considering the even more thorny problem of consumer authentication, for everything from bank accounts to software subscription services.
One of the biggest pushes for passwordless authentication comes by way of the FIDO Alliance, which for more than a decade has been publishing standards for high-assurance authentication mechanisms to kick passwords to the curb.
Earlier this year, the Fido Alliance acknowledged “we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space” in its unveiling of a vision for multidevice FIDO credentials to be used in consumer use cases — important in the era of remote working from personal devices. These passkeys are more secure than passwords and are designed to make logins easier across mobile devices and desktops. In May, Apple, Google, and Microsoft reported that they’re going implement support for these standards in their platforms.
But in the meantime, Morgan explains that organizations can’t afford to ignore the ever-growing issue of stolen and trafficked credentials used for ATO.
“We will move to a passwordless future, but for now the issue of breached credentials is out of control,” says Morgan. “In just the last 18 months, we have alerted our clients to 6.7 million exposed credentials. This includes the username and passwords of their staff, customers, servers, and IoT devices. Many of these instances could have been mitigated through using stronger passwords and not sharing credentials across different accounts.”