False negatives from online password breach tools could be giving your organisation misplaced confidence, regarding its cyber security status. Right now, your data and documents could be exposed and being exploited despite your best intentions and being given the green light, says Sinisha Patkovic of Authlogics.
There is no sign of threat posed by breached passwords abating, despite advances in technology, greater awareness about cybersecurity and the potential for stiff penalise to be imposed by regulators. If anything, the problem is growing. Last month, ITProPortal reported that 83% of organisations that experienced a data breach in the last 12 months attributed the cause to a compromised password or stolen identity.
In recent weeks Ubisoft announced that it would be conducting a company-wide password reset, as a result of a cyber security incident. Meanwhile, it has been reported in the past few days that in January, hackers were able to access a spreadsheet of passwords relating to domain administrator accounts of the customer service company Sitel. According to an article published by TechCrunch it was exported from an employee’s LastPass password manager. Worse still, it is suggested that it led to the subsequent compromising of the authentication company Okta.
To highlight the sheer scale of the password breach problem, Authlogic published a blog in 2017 which stated there were 306 million passwords known to have been compromised (pwned) in data breaches. It was a shocking statistic at the time, however, today, the figure is more than four billion records and growing. Checking whether an account has been pwned is quick, simple, and free, however exercise caution because not all free online services are made equal, even if have the very best of intentions. Put simply, if you want to have confidence in your results, then you need to test your accounts against the largest possible database of up-to-date breach records, anything less and you run the real risk of a false negative.
As the saying goes, there is a difference between doing the right thing and doing things right. Checking the breach status of passwords is always the right thing to do. Just be sure it is being done in the right way. Once you know your breach status, you can take immediate corrective action, and take steps to prevent passwords from ever being a vulnerability for your organisation.
The tools are available, affordable and accessible, whether you are a sole trader, or the largest enterprise. Should your organisation succumb to a data breach as the result of a preventable password attack, the phrase Ignorantia juris non excusat will almost certainly apply.
The author is Sinisha Patkovic of Authlogics.