Home News Password Reuse Still Rife: 2021 Credential Exposure Report

Password Reuse Still Rife: 2021 Credential Exposure Report

The 2021 Credential Exposure Report revealed people inevitably end up reusing the same credentials (passwords) for multiple sites.

User Verification Policy, zero trust approach

Researchers at security solutions provider SpyCloud recovered over 4.6 billion records of personally identifiable information (PII) and nearly 1.5 billion stolen account credentials from 854 data breach sources in 2020. In its 2021 Credential Exposure Report, the company revealed that the number of data breach sources increased 33% over 2019, with an average 2020 breach size of 5,455,813 records. SpyCloud’s researchers found that 60% of the credentials were reused across multiple accounts, making cybercriminals launch account takeovers attacks.

Poor Password Security

The report indicated that the password reuse rate was unchanged from last year, making it easy for an attacker to misuse one stolen password to hijack other accounts. “Despite years of advice about the importance of strong passwords, people inevitably end up reusing or recycling the same credentials for multiple sites. Outdated password complexity requirements have complicated the issue by providing people with a false sense of security when they recycle a favorite password with a few simple changes, like capitalizing the first letter and adding a 1 or ! in the end,” SpyCloud said.

Key Findings

  • Topical passwords – Not surprisingly, passwords frequently reflected current events. More than 1.6 million passwords included “2020.” Another 107,595 included “corona,” “virus” or “coronavirus.” Thousands more were found using “Trump,” “Biden,” “BLM,” “vote” and “mask.”
  • The 1,486,416,779 exposed credentials include email addresses or usernames connected to plaintext passwords.
  • Most common passwords – As usual, the most common password found was “123456,” followed by “123456789” and “12345678.” “Password” and “111111” showed up more than 1.2 million times each.
  • Government accounts exposed – SpyCloud found 269,690 sets of credentials for .gov accounts. Password reuse for .gov emails was 87%, 27 points higher than the overall reuse rate.

“These staggering numbers indicate a continued threat for account takeovers, identity theft, and fraud at a time when people have been spending more time online during the Covid-19 pandemic. Criminals didn’t stop for the coronavirus. In fact, attackers have been able to use the disruption of the pandemic to their advantage,” said David Endler, Co-founder and Chief Product Officer at SpyCloud.

Related Story: 6 Practices to Strengthen Your Password Hygiene in 2020