SecurEnvoy comments on World Password Day

​​​​​​​​​​

World Password Day underscores a hard truth: stolen credentials – not weak choices – drive 22% of breaches.  With VPN password compromise on the rise, we talk to Michael Downs, Vice President, SecurEnvoy for his views.

“World Password Day is a good reminder that passwords aren’t failing because people choose bad ones, they’re failing because stolen credentials are still an initial access vector in 22% of all confirmed breaches.  The Colonial Pipeline attack in 2021 came down to a single compromised password on a VPN with no second factor.  Five years on, password governance and hygiene remains poor, with 88% of organizations having stale but enabled ghost users that still provide access to accounts and information.”

“The problem isn’t that people need to choose stronger passwords but that password hygiene alone won’t protect you once credentials are leaked or bought on the dark web – and they get leaked constantly.”

“Only 47% of organizations have deployed MFA () as standard, which means the majority are one credential leak away from a serious incident.  Attackers know this, which is why access brokers have made a business out of selling working login details to whoever wants them.”

“If there’s one thing worth doing today, it’s auditing which of your systems still rely on a password alone and asking why MFA isn't on them yet.  That’s a more useful exercise than a reminder to use a capital letter.”