Old and unused passwords are posing a major threat to businesses

Many organizations still have active accounts that haven't been used in ages

News By Sead Fadilpašić published 22 October 2024

Experts have warned many businesses are safeguarding their cloud applications with passwords that are a year old, if not older, and some even have unused, ancient accounts that are still active, posing a worrying security risk.

In its State of Cloud Security 2024 report, Datadog notes that although it is often stressed businesses should refresh passwords (roughly once in three months is something of an industry-standard these days), it found 62% of Google Cloud service accounts, 60% of AWS IAM accounts, and 46% of Microsoft Entra ID applications, have access keys older than a year.

On average, almost half (46%) of businesses have unmanaged accounts with long-lived credentials.

Major risk

“The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed,” said Andrew Krug, Head of Security Advocacy at Datadog. “In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials. To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use.”

Krug argues long-lived cloud credentials, which never expire, are often leaked with source code, container images, build logs, and application artifacts. As such, they grant treat actors easy access to company assets. The problem could be solved relatively easily by pivoting towards biometric authentication, zero-trust architecture, and upgrading the logging and monitoring tools and mechanisms.

Passwords are still the number one authentication method for the majority of businesses around the world, despite it being proven as inadequate time and time again. These days most service providers, including the giants of the industry, are actively promoting passkeys, biometric authentication, and the inclusion of multi-factor authentication (MFA) as means of reinforcing what would otherwise be weak protection.

More from TechRadar Pro

• The rise of identity-related cyberattacks: costs, challenges and the role of AI
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors