When it comes to commodities, data is now one of the most valuable commodities there is. Back in 2006, British Mathematician Clive Humby even went as far as to argue that “data is the new oil.” Yet in the hands of cybercriminals, there’s one piece of data that’s digital gold: your password. 

Passwords, alongside other user data like names and email addresses, are an extremely valuable commodity for hackers, who regularly buy and sell this information on the dark web as part of an underground economy. Malicious entities then purchase this data knowing that it gives them the key to stealing an individual’s digital identity. 

In fact, ForgeRock released its fourth annual breach report today, the 2022 ForgeRock Consumer Identity Breach Report, which revealed that over 2 billion data records containing usernames and passwords were compromised in 2021, an increase of 35% from 2020.

Other records compromised included the victim’s name, address, Social Security number (SSN), date of birth, protected health information (PHI), and payment or banking details. 

For enterprises, this research highlights that traditional password-based approaches simply aren’t effective at preventing credential theft and thwarting the data breach economy. 

Recognising the weaknesses of password-based security 

One of the most shocking trends that emerged during the Covid-19 pandemic was the level of credential-theft taking place. For instance, a 2020 audit of the dark web found that there were over 15 billion passwords exposed online.  

As this figure continues to grow day by day, it’s becoming increasingly clear that passwords are as much a security liability as they are an authentication measure. 

“Usernames and passwords are the internet’s weakest link. The world has moved far beyond the point where a simple password can provide sufficient protection, and attackers know it. Spurred by the FIDO2 WebAuthn standard, the move to passwordless authentication is gaining momentum: it improves both security and ease of use for online access, while greatly diminishing the usefulness of stolen credentials by cybercriminals,” said ForgeRock CEO, Fran Rosch. 

The exploitability of passwords through phishing and social engineering scams is a reality that consumer vendors and enterprise security providers are trying to confront with the development of passwordless authentication solutions that enable users to login without passwords.  

This is happening most notably among the FIDO alliance, with vendors like Apple, Microsoft, Google, and even password management providers like LastPass, committing to developing passwordless login options to help protect users from credential-based attacks. 

With researchers expecting the passwordless authentication market to grow from a value of $12.79 billion in 2021 to $53.64 billion by 2030, it is likely that more providers will follow suit in developing their own passwordless sign-in options. 

How enterprises can mitigate credential theft 

While new passwordless authentication options are emerging every day, most enterprises are still reliant on passwords to keep out unauthorized users. This means it’s important to encourage employees to select strong passwords with a mix of uppercase and lowercase letters, numbers and symbols. 

At the same time, Rosch says that organizations can work to reduce the cost and impact of data breaches caused by credential theft, by deploying artificial intelligence (AI).

Rosch notes that with AI, organizations can use pattern recognition, machine learning, and behavioral analytics to identify and contain unauthorized access to data assets while providing known users with seamless access. 

Ponemon Institute research suggests that organizations can use AI to reduce the overall cost of a data breach by almost 80%. 

These controls can be strengthened further by using an identity and access management (IAM) solution to ensure that employees don’t have overprivileged access to lots of resources that attackers could exploit, and to help enterprises deliver a truly zero-trust working environment.