Connect with us

Hi, what are you looking for?


Identity & Access

Social Media Passwords Provide Easy Route into Corporate Networks

A combination of ‘security fatigue’ among users and inadequate password controls among the social media giants is providing a large attack vector for cybercriminals. This is the conclusion of a newly published survey that queried more than 250 security professionals at the RSA Conference in San Francisco in February 2017.

A combination of ‘security fatigue’ among users and inadequate password controls among the social media giants is providing a large attack vector for cybercriminals. This is the conclusion of a newly published survey that queried more than 250 security professionals at the RSA Conference in San Francisco in February 2017.

The survey (PDF), conducted by Thycotic, found that password hygiene is severely lacking even among security professionals. It found, for example, that 50% of security professionals have not changed their social network passwords for a year or more, and 20% have never changed them. When this is coupled with social networks not enforcing their own security options, the result is a weak underbelly for criminals to get into corporate networks.

“As we know,” said Joseph Carson, Chief Security Scientist at Thycotic, “social networks give away a lot of private information. For people to not consider changing their passwords on a regular basis on their Facebook, Twitter and LinkedIn accounts, they are easily allowing hackers to access information that will grant them access to other facets of their lives, like their work computers and email. Not only is this a huge vulnerability, but this is also a flaw within large social networks that don’t remind or make it clear and transparent to the user about the age or strength of the password or best practices.”

It is a combination of factors that creates the problem. Users still use weak passwords and reuse them across multiple accounts. Thirty percent of the security professional respondents have used or are still using birthdays, addresses, pet names or children’ names for their work passwords — and all of these are easily crackable. 

The problem is made worse by the increasing use of social media logons, where separate internet services allow users to log on with their Facebook, LinkedIn or Twitter password. “Social Logins creates a major security risk because it becomes the master key for all other accounts,” Carson told SecurityWeek. “The problem stems further because it is not a proper vault and is used for more than just social logins — such as for communication, email, browsing and online shopping — so it is easily targeted and exploited.”

One concerning implication from this survey is that user awareness training cannot solve the problem. The poor password practices of the respondents, said Carson, “is an indication that even security professionals continue to use weak passwords for social accounts and that cyber awareness training and cyber hygiene still has a lot of room for improvement. Much of this is a result of cyber fatigue and lack of built-in automation for social accounts.”

According to Verizon’s 2016 Data Breach Investigations Report, 63% of confirmed data breaches involved weak, default or stolen passwords. “The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works,” the DBIR says.

Advertisement. Scroll to continue reading.

Forrester Research puts the breach figure even higher, estimating in its ‘Forrester Wave: Privileged Identity Management, Q3 2016’ report that up to 80% of breaches involve the abuse of privileged accounts. Thycotic’s own research indicates that use of passwords as the primary authentication control is still growing, estimating that the 90 billion passwords currently in use will grow to 300 billion by 2020.

Carson does not believe that the solution can simply be awareness training and improved password practices. “There is no such thing as an uncrackable password,” Carson told SecurityWeek; “but you can make it very difficult with the computing power plus time to crack the password — which can deter the attacker from even trying to crack the password. In most cases, it is easier for the attacker to ask the user to tell them the password via phishing scams.”

But the big takeaway from Thycotic’s survey is that users — even those users who should know better — simply are not making it hard for the criminals. Coupled with the disinclination of social media giants to enforce strong access requirements, social media is providing an easy route into employees’ accounts; and from there into corporate privileged accounts. Users, suggests Thycotic, cannot be relied upon to protect their passwords, making technology-based privileged account management an absolute necessity.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...


Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Microsoft on Tuesday pushed a major Windows update to address a security feature bypass already exploited in global ransomware attacks.The operating system update, released...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...