How to Detect a Password Breach in Your Company

It’s no secret that in today’s information-rich society, data is often your organization’s biggest asset. It’s vital to keep your IT systems secure to protect that data from thieves and fraudsters. But since most systems still rely on outdated authentication methods such as prompting for usernames and passwords, this is easier said than done.

One of the biggest problems is that in many cases, employees and customers continue using passwords that are not just easy for criminals to crack—they’ve actually already been compromised, in part thanks to people using the same password in many places. 

So how can you tell whether a user’s password is secure? How can you detect when a password breach happens? And how can you prevent these problems from happening in the first place? Read on to find out more.

According to the 2022 Verizon Data Breach Investigations Report, 82% of IT security breaches involve a human element such as phishing or stolen credentials, and there has been a 30% increase in stolen credentials in the past 5 years.² Lists of breached passwords are constantly circulating on the dark web, and security experts have reported files containing literally billions of passwords in plain text.³

Worse still, those lists are only going to get longer, because new password breaches are happening all the time. If you read technology news sites, it’s rare that a week goes by without a new story about credentials being leaked, exposed, or stolen. Many of us have received unsettling emails from online service providers warning that our personal information may have been exposed by an attack on their databases.

While there are numerous ways password breaches can occur, they generally fall into two categories: targeted attacks, where a criminal focuses on obtaining credentials to gain access, and automated attacks, which don’t deliberately target any particular user account or system but attempt to compromise on a broader scale.

Targeted attacks

Guesswork

When businesses don’t enforce sufficiently rigorous password rules, users often choose weak passwords that are easy for attackers to guess. For example, passwords based on a child or partner’s name or date of birth are easy targets. However, this type of breach does require the attacker to have some knowledge of the victim’s life, family, or interests, so it requires relatively high effort from criminals.

Industrial espionage

Despite the obvious security risk, users often write down passwords that they find difficult to remember and keep them close to their workstations. If an attacker can gain physical access to your facility, they can easily harvest these credentials for use in subsequent attacks. They could also potentially install keylogging software on your users’ PCs, allowing them to capture passwords as users type them.

Automated attacks

Brute-force Attacks

Attackers can use brute-forcing tools to test your authentication process by trying millions of combinations of usernames and passwords automatically. Combining these tools with the huge lists of passwords harvested from previous breaches that are available on the dark web can massively improve the odds of success—because despite all advice to the contrary, many people use the same password across some (or all) of their online accounts. This means that if even one of a user’s online services suffers a data breach and their password finds its way onto a password list, criminals can easily breach all of their other accounts, too. For a more in-depth look at brute force attacks, read this blog on everything you need to know about brute force attacks.

Phishing

Phishing is an example of “playing the man and not the ball”. Instead of attempting to steal passwords directly, an attacker using phishing tries to trick users into freely volunteering their username, password, and other personal information to the attacker. For example, an attacker could send an email that purports to be from the user’s bank and includes a link to a fake website that looks just like the bank’s login page. If the user falls for it and enters their username and password, the information is sent to the attacker, not the bank. 

Phishing attempts are often blocked by email services, yet even experienced users can be fooled—the success rate doesn’t need to be high for it to pay dividends. Automated tools enable attackers to send out millions of phishing emails every day, and if even a small percentage get through to vulnerable users, the scam will pay off.

Hacking

The most serious, high-profile, and embarrassing password breaches occur when attackers are able to break into company systems and access users’ password data directly. These days, it’s rare for companies to store passwords in plain text. However, if the passwords are hashed, once attackers get hold of the data, they can use automated tools to crack the hashes and obtain the original passwords.

In some cases, these types of breaches may leak thousands or even millions of passwords in a single attack, making them one of your IT security team’s worst nightmares.

Fortunately, the existence of breached password lists doesn’t only benefit attackers—these lists are also a key resource for building better password security. The best-known tool in this area is haveibeenpwned.com, a website that allows users to enter a password (securely!) and check whether it can be found in a gigantic list of breached passwords. This helps users decide whether their new password is likely to be a safe choice or whether it’s already been compromised.

Many identity management providers build a similar approach into their authentication tools. For example, when a user registers for a new account and enters the password they’d like to use, the tool automatically checks that password to see whether it’s already been revealed in a breach. If it has, the user is then prompted to choose a different, more secure password.

1. Comprehensive Database Access

A critical factor when choosing a breached password detection service is the breadth and depth of its database sources. The security landscape evolves quickly, and for your organization to stay ahead of password-based threats, it’s essential that your detection tool taps into multiple data sources. Services that integrate with well-established databases like Have I Been Pwned provide a solid foundation, but this is just the tip of the iceberg.

Look for services that go beyond basic lists by incorporating data from industry-specific breaches and global password leaks. For example, many services draw from databases that track over 600 million compromised credentials, ensuring that even the most obscure or niche breaches are detected. The more expansive the database, the more effective the service will be in identifying compromised credentials that could otherwise slip under the radar.

In addition to global breaches, a service should include commonly used patterns, leetspeak, and variations of compromised passwords. These added layers of detection improve the odds of catching outdated, weak, or reused passwords that often fall prey to attackers.

2. Automation and Real-Time Updates

Manual management of password detection and updates is both cumbersome and inefficient. A good password detection service should offer automated updates to its breach database to keep up with new incidents and threats. This means no more relying on manual uploads or tedious processes to update your banned password list. Automation ensures that as soon as a breach is detected, the service reflects it, so your defenses remain constantly up-to-date without intervention.

Another key feature to look for is real-time detection. Ideally, your detection service should be able to flag compromised passwords as they are found and alert your team immediately. This reduces the window of vulnerability between breach detection and remediation, preventing unauthorized access or misuse of stolen credentials. Real-time alerts should be configurable based on the severity of the threat, so you can fine-tune your notification system to avoid overload while ensuring that critical breaches don’t go unnoticed.

3. Ease of Use and Reporting

A password detection solution is only effective if it’s easy to use and provides actionable insights. Look for a service with a user-friendly dashboard that allows admins to quickly assess the status of password security across their organization. The service should provide a clear overview of which accounts are at risk, whether a password is found in a breach, and what remediation steps need to be taken.

Reporting tools are another important aspect. Detailed, automatic reports can save admins time and effort when auditing password policies and compliance. For example, if your organization is subject to regulations like HIPAA or PCI DSS, the service should automatically check passwords against industry standards and generate compliance reports. These reports should clearly highlight areas of concern, such as weak passwords or non-compliance with security standards, making it easier for admins to take corrective action quickly.

4. Managed Updates and Customization

For large organizations or those with complex infrastructures, the ability to customize and manage password policy enforcement is crucial. A good detection service should allow administrators to easily update and customize banned password lists without manual intervention. Whether you’re managing a few hundred or several thousand accounts, manual updates can be time-consuming and prone to errors.

Look for services that provide managed updates—this could include everything from external list additions to dictionary updates for all user accounts. Moreover, tools that automatically apply these updates to Active Directory (AD) and sync across your entire network can help eliminate the risk of oversight. Customizability is key. A service should allow you to adjust settings based on specific needs, whether it’s enforcing more stringent password policies or blocking a set of known weak passwords that might not yet be on the standard list.

5. Compliance and Industry Standards

Compliance is non-negotiable for many organizations, especially those in regulated industries. Whether you’re in healthcare, finance, or retail, adhering to standards such as PCI, HIPAA, or NIST is critical not just for protecting data but also to avoid costly fines. Breached passwords are often a point of failure in compliance audits, which makes it even more important to choose a detection service that aligns with these standards.

A robust password detection service should help you monitor and enforce compliance with industry-specific password policies. Look for tools that can cross-reference your internal password policies against those set forth by regulatory bodies. This includes blocking passwords commonly found in data breaches and ensuring they meet the security standards mandated by your industry.

The service should also be capable of producing detailed reports that show how your organization stacks up against the required compliance standards. This will make it easier to pass security audits and prove that your company is proactively protecting user data.

Automatically checking whether a password has already been breached is a good first step towards preventing malicious attacks and fraudulent activity such as account takeovers and identity theft. But preventing password breaches altogether is a more difficult problem.

At Ping, we believe the long-term solution is to phase out the use of passwords altogether. Modern passwordless authentication technologies can:

• Strengthen your security model—because if passwords don’t exist, there’s nothing for attackers to breach.
• Enhance your user experience—because users no longer need to remember complicated passwords or risk getting locked out of your systems.
• Reduce your IT costs—because helpdesk teams don’t need to spend time helping users with password resets.

If you’d like to learn more about how Ping can help you take your first steps towards a passwordless future, start here to get everything you need to know about passwordless authentication and how to make it a reality.

^1. 2022 Data Breach Investigations Report, Verizon

^2. 2022 Data Breach Investigations Report, Verizon

^3. RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries, Cybernews