Popular work-related services fail to prevent leaked passwords
Preventing the use of weak and leaked password within an enterprise environment is a manageable task, but what about other services where employees share business-critical data in order to do their work? The researchers at Specops Software investigated the requirements of five common web services to see if leaked passwords could open the door for hackers looking for company information outside of the network. In other words, if a hacker is unable to access a company’s data directly, they might use the backdoor approach of accessing a service used by the company to learn where that company is vulnerable. The findings highlight a major cyber-security weakness where employees could use weak or previously leaked passwords for these services, often with little or no strong authentication in place.
The Specops researchers investigated five popular services from a variety of industries such as ecommerce, project management, email marketing, and customer support. The analysis compared the password requirements against a subset of the Specops Breached Password Protection list, containing 1 billion known compromised passwords.
Shopify fails to prevent compromised passwords
The ecommerce giant, Shopify, is used by more than 3.9 million live websites globally. While Shopify does offer two-factor authentication (2FA), it is not a requirement when creating an account. Shopify does not perform a compromised password check.
Shopify’s password requirements:
- Your password must be a least 5 characters, and can’t begin or end with a space
When checking the list of 1 billion known breached passwords, the Specops researchers found that 99.7% of the passwords meet Shopify’s requirements. Example passwords that meet this requirement and are known to be compromised include:
Shopify doesn’t prevent the use of the word Shopify in passwords on the service, resulting in 18 passwords found containing the name, such as shopifyseoexpert, shopify, shshopify, myshopify, and shopify123.
Zendesk prevents less than 2% of compromised passwords
Zendesk, a SaaS company providing customer communication and support services, offers 2FA when creating a new account with the service, but it is not a requirement. Zendesk does not perform a compromised password check, resulting in password being accepted.
Zendesk’s password requirements:
- Must be a least 5 characters
- Must be fewer than 128 characters
- Must be different from email address
The Specops research revealed that of the 1 billion compromised analyzed, 99.03% satisfy the Zendesk password requirements, which require at least 5 characters and that the format of the password not mimic that of an email address <some characters>@<some characters>.<some characters>.
Zendesk doesn’t prevent the use of the company name in the password, resulting in five compromised passwords found containing the word Zendesk:
Trello blocks less than 13% of known breached passwords
The Kanban-style project management service, Trello, does offer 2FA but this is not a requirement when creating an account. Trello does not perform a compromised password check.
Trello’s password requirements:
- Password must have at least 8 characters
Of the 1 billion known breached passwords checked, 82.9% meet Trello’s requirement of 8 characters in length. Trello does not stop to use of the word Trello in the password creation, which resulted in 1454 passwords in the analyzed dataset. Some examples include:
Stack Overflow prevents 46% of compromised passwords
Stack Overflow, a public forum where developers go to learn and share knowledge, employs more complexity in its password policy, which blocks nearly half of the 1 billion compromised passwords analyzed. Stack Overflow does not appear to offer 2FA or perform a compromised password check.
Stack Overflow’s password requirements:
- Passwords must contain at least eight characters, including at least 1 letter and 1 number
Some examples of passwords that are known compromised passwords, yet meet the Stack Overflow requirements include:
Stack Overflow does not block the use of the service name in passwords, resulting in compromised passwords such as stackoverflow1993, stackoverflow1, and stackoverflow1111 being allowed.
Mailchimp blocks 98% of known compromised passwords
Email marketing service, Mailchimp, is the best performing of the work-related services analyzed. This is thanks to enforcing a complex password policy, although it is likely this level of complexity can cause other poor password behaviors such as password reuse and passwords being written down. Mailchimp does not require 2FA, perform a compromised password check or block the use of the word mailchimp in passwords.
Mailchimp’s password requirements:
- One lowercase character
- One uppercase character
- One number
- One special character
- 8 characters minimum
While Mailchimp would successfully block 98.7% of known breached passwords based on the password requirements alone, the fact that the service doesn’t check for compromised passwords means that Password1!, a password that appears on Specops Breached Password Protection, is allowed.
What IT can do today
While these work-related services are not necessarily in the control of the IT department, IT’s hands are not completely tied. IT departments should work to reduce the overall password burden, employing tools such as an enterprise password manager or a single-sign on solution. Employees should be encouraged to use 2FA whenever possible. For the corporate environment, the IT department needs to block the use of known compromised passwords in Active Directory, require longer passphrases and use password expiration as a tool to mitigate against the password reuse problem.
Passwords are easy to attack because people often use vulnerable passwords that are easily guessed or already compromised. These passwords are vulnerable because people reuse them across various personal and professional platforms, and because they follow typical patterns and themes at the point of creation. This makes it more likely that they end up on breached lists which are then used repeatedly in password attacks.
Making passwords complex creates passwords that are difficult for people to remember, and easy for hackers to exploit. As long as people reuse passwords, making these more secure comes down to disallowing all known compromised passwords and enabling MFA whenever possible. Learn more about the problem with password reuse in the 2022 Weak Password Report.