Thycotic with Cybersecurity Ventures have released a joint market report that evaluates the current and future state of password security. The report found that the total number of user and privileged accounts that will be at risk, including a combination of human and machine passwords, will surpass 300 billion passwords by 2020.
According to the report, more than 3 billion user credentials and passwords were stolen in 2016, with 8.2 million passwords being stolen every day and approximately 95 passwords stolen every second. Through data analysis, security experts at Thycotic and Cybersecurity Ventures concluded the potential for up to $6 trillion in cybercrime damages by 2021. While there is clearly a margin of error based on several variables—most notably the number of Internet of Things (IoT) devices— Cybersecurity Ventures and Thycotic believe that the password attack surface will inevitably grow by an order of magnitude over the next four years.
“It is a very scary truth that everyone, especially those running businesses, should aware of. Our passwords are not safe which is concerning as they are literally the key to some of the most important information that businesses hold,” said Joseph Carson, CISSP, CSPO, CSP, Thycotic. “Privileged account passwords especially are prime targets for hackers for good reasons. One privileged account password breach can allow a hacker to access and steal the credentials and passwords belonging to every employee in a company.”
As an example of the type of opportunities for passwords being compromised, the report shows that companies on the Fortune 500 list in 2015, employed a combined 27 million people – a number which has since grown. Thycotic experts estimate that these employees in 2020 will have an average of 90 accounts (combination of business and personal) requiring login IDs and passwords. That would put the total number of passwords belonging to Fortune 500 employees at 5.4 billion in 2020. While employees have their own login credentials — there’s a proportionately small number of privileged users (typically IT and system administrators) who each have access to hundreds, and sometimes thousands, of login IDs and passwords.
“As the total universe of passwords will likely grow to 300 billion by 2020, organizations across the world face an enormously growing cyber security risk from hacked or compromised user and privileged accounts,” said Steve Morgan, editor-in-chief, Cybersecurity Ventures. “We felt it was extremely important to team up with an industry leader, such as Thycotic, to bring awareness to the tremendous vulnerability everyone is at risk for as the number of passwords continues to grow. This report will help to assist cyber defenders and educate the broader global community through a statistical analysis of the massive password expansion and associated challenges that lie ahead of us in the years to come.”
Approximately five percent of Fortune 500 employees are privileged users, putting the number of people with privileged account access at 1.35 million. These numbers provide a huge opportunity that hackers love to exploit and put businesses of all sizes at risk.