A report published by F5 Labs today finds that while the total number of credential spills involving large pairs of usernames and passwords doubled from 2016 to 2020, the volume of spilled credentials has been steadily declining during the same period. The average spill size declined from 63 million records in 2016 to 17 million records in 2020.
Sara Boddy, senior director for F5 Labs, said while the survey results may be indicative of some level of cybersecurity progress, the fact remains that cybercriminals have large numbers of usernames and password pairings at their disposal for launching credential stuffing attacks.
The report finds organizations that store passwords as plaintext are responsible for, by far, the greatest number of spilled credentials, and that the widely discredited hash algorithm for storing passwords, known as MD5, remains surprisingly prevalent.
Organizations are also struggling with detecting when a credential spill has occurred. Between 2018 and 2020, the median time to discovery of a credential spill was 120 days. The average time to discovery was 327 days. Credential spills are detected on the dark web long before before organizations disclose a breach.
Cybercriminals are also becoming more discreet. Sophisticated cybercriminals are using compromised credentials in stealth mode for roughly a month before making it publicly known they have been made available to other cybercriminals, the report notes.
Boddy said the report makes it clear that continued reliance on username and password-based approaches to cybersecurity are not especially sustainable. While there may be no silver bullet when it comes to authentication, there are other approaches, such as multifactor authentication, that are more effective. Most end users rely on variants of a core set of passwords to access a wide range of applications and systems. Cybercriminals are getting more adept at guessing what those variants are once they collect a set of credentials that have common themes. More troubling still, the number of credentials that have been stolen make it feasible for cybercriminals to apply machine learning algorithms to deduce what combination of username and password to employ.
Passwords, of course, have long been employed in a military context to distinguish friend from foe. The assumption has always been that guards would change the password each day. Modern end users not only don’t change their passwords very often they also freely share them with others.
It’s not likely cybersecurity professionals will eliminate reliance on usernames and passwords overnight. However, there’s a compelling case to be made for supplementing usernames and passwords with other authentication protocols when end users are accessing critical applications and systems. The challenge, of course, is convincing business leaders to fund that extra level of protection. In the absence of that added security, however, Boddy said it’s now only a matter of time before nefarious entities take over the Web; after all, they’re currently generating massive amounts of revenue at the expense of organizations and individuals.