New data focusing on user cyber hygiene around password use shows users are repeatedly reusing passwords across multiple applications and environments, despite the rise in breaches.
The only thing worse than a weak password is a weak password that has been breached and that the user is still using! And it’s this negligent reuse of passwords that are the general findings of SpyCloud’s 2022 Annual Identity Exposure Report.
According to the report, 2021 saw a total of 1.7 billion exposed credential pairs (email address and password) across 755 breach sources. That represents a 15% increase from 2020 with only 1.4 billion. And there’s little excuse for individuals not knowing they are part of a breach; breach notifications are sent out in most every case and even browsers like Chrome (when passwords are stored within the browser) let the user know one or more of their passwords are insecure and part of a list of breached passwords.
When reviewing the email address / password pairs exposed in 2021, SpyCloud also found that users simply aren’t learning their lessons about using unique passwords per application:
- 70% of users breached in 2021 were still reusing the same exposed passwords found in previous years’ breaches
- 82% of users with at least 2 exposed credentials had exactly matching passwords in both breaches
With over 100 passwords to keep track of on the average, you’d think users would be using some form of a password manager. But, according to SpyCloud, only 22% use one and users admit to simply relying on memory.
Organizations need to take the risk potential of reused passwords seriously; cybercriminals take breached password lists and automate logons against all the major banks, productivity platforms, etc. in an attempt to gain access. Users can be taught better password hygiene through Security Awareness Training that will explain why they are at risk and how threat actors take advantage of reused passwords that may affect the user at work and in their personal life.