Selling passwords for $US150, and other dumb ways users threaten corporate security

Ironically, the same employees surveyed who were often lax on corporate security were nevertheless vigilant about their own digital security

Corporate passwords for sale, $150 OBO. That, apparently, is how little some employees may take in exchange for compromising their company's security.

SailPoint's Market Pulse Survey, compiled from responses from 1000 workers from large companies with at least 3000 employees, offers vivid examples of how easily one person can create a lot of risk--and why passwords alone are simply inadequate.

Here are some highlights:

  • 1 in 7 employees would sell a corporate password for as little as $US150.
  • 56 per cent of those surveyed admit to reusing passwords across corporate applications they access.
  • 14 per cent of those surveyed claim to use the same password for every application. 
  • One in five of the survey participants routinely share login credentials with other members of their team. 

The reuse of passwords is particularly alarming. "Employees may have moved away from the post-it note password list, but using the same password across personal and work applications exposes the company," said Kevin Cunningham, president and founder of SailPoint, in a statement.

Sharing passwords with other coworkers is probably seen as a friendly or expedient thing to do. Unfortunately, it makes it much more difficult to contain or enforce password security, or to trace the source of a breach or compromise.

Lax at work, worried at home

While many of the employees surveyed apparently were lax about corporate security, they were cautious about their personal online security. Twenty per cent of those surveyed said they'd been the victim of a data breach. Ironically, the same proportion (20 per cent) said they'd stop doing business with a company that put their data at risk- like maybe their company?- and fully half said they'd tell their friends and family to do the same.

Even on a personal level, individuals routinely make dumb choices when it comes to password security. A recent segment on Jimmy Kimmel Live illustrated exactly why password security is inadequate: People on the street were willing to share information about their passwords related to how they come up with them. One couple revealed they use the name of a pet combined with a memorable date.

The people interviewed didn't blatantly share their passwords, but by sharing relevant details on national television they put themselves at risk. It is not difficult to find out what the name of the person's pet, and then it's just a matter of identifying dates that might be significant, like birthdays or anniversaries.

I hope you wouldn't sell your corporate password to the highest bidder or give hints to help people crack your password. Even if you follow solid password security practices, though, passwords alone are still inherently insecure.

That's why two-factor authentication makes sense. You just have to find the right balance between ensuring your accounts and data are secure, without making access so difficult that it's impractical and unreasonably inconvenient.

Join the CSO newsletter!

Error: Please check your email address.

Tags password securitytwo-factor authenticationsecurityinsider threatsdata breach

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley, Melissa Riofrio

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place