Email Security

    How to Protect your Database against Password Leaks

    Cybercriminals want the companies they target to leak passwords. These strategies and tactics help prevent password database leaks.

    by Mercedes Cardona

    Key Points

    • Passwords are still a key factor in 80% of cyberattacks and a growing concern for security professionals.
    • Cybercriminals have many tactics for gaining access to passwords and can often use a leaked password to breach databases filled with other credentials.
    • There are ways to protect your database from password leaks, including requiring stronger passwords, adding multifactor authentication and restricting login attempts.
    • Best practices require constant attention. Security monitoring tools can automate some of these functions.


    Passwords are the keys that secure everything we own online. But analyzing the rash of recent data breaches, it looks like most people treat passwords like house keys: they don’t give them a thought until they lose them — or they’re robbed. Unfortunately, the bad guys know that.

    Stealing passwords is the most popular way cybercriminals break into systems and breach databases. Eight out of 10 breaches in 2020 featured either stolen credentials or a brute-force break-in trying multiple passwords, according to Verizon’s annual data breach survey.[1]

    Threat actors can find leaked passwords easily, and one set of credentials can sometimes open the door to hundreds of others. Here’s how: When a user creates a password, the text is “hashed,” or scrambled into numbers and secured as a code in a database. In theory, even if cybercriminals breach the password database, it’s useless without the algorithm that hashed the passwords. But with a valid password in hand, they can reverse engineer the algorithm — which is like cutting a master key to all those passwords. That’s why, for example, in early 2021, 2.3 million records stored in the user database of the dating site MeetMindful were dumped on the Dark Web for free to any threat actor — including everything from encrypted passwords and Facebook IDs to dating preferences.[2]

    How Bad Password Data Breaches Happen to Good Companies  

    A large proportion of database breaches involve a cybercriminal simply strolling in the front door using a legitimate password. This is particularly dangerous because valid credentials let a bad actor appear to be a genuine user going about their business while they extract the passwords of other users.

    Here are some of the common ways cybercriminals breach passwords:

    • Email Phishing with Social Engineering: In these attacks — almost always launched with a phishing email — cybercriminals con users into parting with their credentials willingly, by signing on to a fake website, for example. To do so, they conduct enough research first to gain knowledge about the user and their organization that helps the phishing email appear legitimate (that’s the social engineering part).
    • Brute force: Just like it sounds, a cybercriminal will use automated tools to try as many character combinations as it takes to “pick the lock.” They typically start with weak default passwords such as “0000” or “pasw0rd” and take it from there — if necessary.
    • Dictionary attacks: With a little thinking and a little brute force, a cybercriminal will figure out an organization’s user names (often businesses have a standard structure), and then use a bot to run common word-and-number combinations until it breaches the password.
    • Key loggers: This happens when a user account is infected with malware that tracks their actions online. The malware will not only harvest passwords, but which websites they correspond to, in order to breach those sites later.
    • “Man in the middle” (MITM) attacks: In MITM attacks, threat actors intercept, potentially alter, and then relay communications between two parties who believe they’re communicating directly. These enable a threat actor to collect all kinds of potentially useful information, including passwords.
    • Traffic Interceptors: Using technology such as packet sniffers — programs that analyze packets of information flowing online — cybercriminals can pick up unencrypted passwords or even those with weak encryption. Public Wi-Fi networks offer bad actors a good opportunity for these kinds of attacks.

    Verizon’s survey found password “dumpers” — malware that searches systems to make off with login credentials — have become the most popular malware variety among cybercriminals. Stealing what the Verizon study called “those sweet, sweet creds” is big business.  Leaked password databases are available in the Dark Web for any cybercriminal to use in their exploits.

    The Cost of Password Database Leaks

    The damage from these password leaks can be daunting. The average cost of a single data breach to a business is $3.86 million, according to the Ponemon Institute’s annual Cost of a Data Breach report.[3]

    And that is merely the cost of remediation and business interruption losses. A breach can also cause loss of reputation with clients and vendors, too. A study of public companies found their stock prices dropped in the months following a data breach.[4]

    Early detection and quick response are crucial to minimize the damage. According to the Ponemon Institute survey, it takes businesses an average of 280 days to identify and contain a data breach — plenty of time for threat actors to do a lot of damage with leaked passwords. Meanwhile, new regulations such as the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) require quick notification to users whenever there is a breach, and set penalties for not complying. Under GDPR, companies have 72 hours from noticing a data breach to notifying the users affected.

    Protecting Your Database Against Password Leaks

    There are many leading practices that can help prevent password leaks. The Open Web Application Security Project (OWASP) suggests designing unpredictable behavior into your website to discourage cybercriminals and block their bots.[5] For example, using different messages every time there is a failed login would trip up bots that are looking for the same “wrong username or password” message as a trigger for another guess. The OWASP Testing Project, an open-source effort, has a series of Testing Guides that can help cybersecurity professionals assess vulnerabilities, such as weak password policies or password change functions.[6]

    Security monitoring tools such as password managers can help enable user logins to multiple apps and cloud services while keeping passwords safe. They can also operationalize basic password hygiene practices among your system’s users.

    Security Information and Event Management (SIEM) systems can flag an unusual amount of logins that could be evidence of a brute-force attack in progress. Many SIEM programs will also lock out the user after a certain number of login attempts. Locking users from logging in after a number of failed attempts can stop some “credential stuffing,” but beware of unintended consequences, because some denial-of-service (DoS) attacks can use that tactic to lock down all your users. Captchas can also help block dictionary and brute-force attacks and other efforts using bots.

    Multifactor authentication can strengthen security around your passwords, as can biometric identification, such as the fingerprint scan or facial recognition on your mobile phone.

    Go Back to the Basics

    A Google survey found 52% of users still recycle passwords and another 13% use the same one for all their accounts.[7] A few basic steps can help prevent your users from contributing to password leaks:

    • Require strong passwords: The Electronic Frontier Foundation recommends using dice and a list of words to generate truly random “passphrases.”[8]
    • Change passwords: IT professionals differ on whether users should change passwords every 30, 60 or 90 days, but that question is moot since most users don’t change them at all. In fact, a Carnegie Mellon University study found only 33% of users studied bothered to change their passwords after a data breach — and even then, most changed to passwords that were no stronger or weaker than before.[9]
    • Monitor passwords: Some browsers, such as Chrome, now warn individual users if their passwords have been compromised. You can also check the “Have I Been Pwned?” website to see if any email addresses or passwords have been compromised.[10]

    The Bottom Line

    Other than going back to file cabinets, there is no way to completely breach-proof your database. But working with your users, you can leverage a strong password practice that can increase security by protecting your database from password leaks and close the door on bad actors.

    [1] 2020 Data Breach Investigations Report, Verizon

    [2] “Hacker Leaks Data of 2.28 Million Dating Site Users,” ZDNet

    [3] Cost of a Data Breach Report 2020, Ponemon Institute

    [4] “What is the Cost of a Data Breach?,” CSO Online

    [5] “Blocking Brute-Force Attacks,” Open Web Application Security Project

    [6] “Testing for Weak Password Policy” and “Testing for Weak Password Change or Reset Functionalities,” OWASP

    [7] “Online Security Survey,” Google/Harris Poll

    [8] “Creating Strong Passwords,” Electronic Frontier Foundation

    [9] (How) Do People Change their Passwords after a Breach? Bhagavatula, Bauer & Kapadia, Carnegie Mellon University

    [10] “Have I Been Pwned?,” Troy Hunt


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top