Password Failure: 30 Percent of CEOs Have Been Pwned

A recent F-Secure study of 200 CEOs’ corporate email addresses found that in 30 percent of cases (and 38 percent in the U.S.), a service they registered for with their company email has been hacked, and the password they used for that service has been leaked.

The most common previously breached services for CEOs to link their corporate email to are LinkedIn and Dropbox.

Eighty-one percent of CEOs have had their email addresses and other information such as birthdates, addresses and phone numbers exposed online in spam lists or leaked databases.

“This study once again underscores the importance of proper password hygiene,” F-Secure CISO Erka Koivunen said in a statement.

“We can assume that… many of the services we’ve created an account in have already been compromised, and the old passwords are out there on the Internet, just waiting for targeted, motivated attackers to try them against other services,” Koivunen added.

Password Practices

A separate Dashlane survey of more than 500 IT administrators and enterprise employees found that 46 percent of employees use personal passwords, which are often weak and meet bare minimum requirements, to protect company data.

Notably, more than 70 percent of employees said they’re not concerned about causing a breach, and 17 percent said they would trust a friend with their work passwords.

Still, 45 percent of IT admins say they aren’t concerned about bad password practices in the workplace, and 70 percent don’t consider an employee password getting into the hands of a hacker to be one of their top five IT-related concerns.

One in five employees don’t know if their company has a password policy, and almost one in three don’t know if they follow it. More than half of the employees who are entrusted with password-protected systems, data and devices receive no security training.

Over 75 percent of IT admins believe their employees have password fatigue — frustration resulting from having to remember too many passwords as part of their daily routine.

Improving Authentication

According to the 2017 State of Authentication Report from Javelin Strategy & Research and the FIDO Alliance, based on surveys of 400 U.S. businesses as well as interviews with industry executives, just five percent of businesses offer high-assurance strong authentication to their customers or leverage it internally.

Weaker authentication options remain prevalent — 31 percent of companies use passwords plus static questions for customer authentication, and 25 percent use SMS one-time passwords. Within the enterprise, 26 percent use passwords plus static questions. “Factors predicated on possession such as a security key or on-device biometrics remain the exception and not the norm,” the report states.

Strikingly, over half of survey respondents protect IP and company financial information using only passwords.

“Although traditional strong authentication is widely used by businesses in the enterprise, this does not mean all systems and data are secured with anything better than a password,” the report states. “Most aren’t.”

Multi-factor authentication and identity and access management are two possible solutions to the problem.

Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Top Products

Related articles