Old and Unused Passwords Pose a Major Threat to Businesses.

Experts have noted that many companies are protecting their cloud applications with passwords that are over a year old, and some even maintain old and inactive accounts, posing an alarming risk to security. In its 2024 State of Cloud Security report, it reveals that despite recommendations for companies to update their passwords approximately every three months, 62% of Google Cloud service accounts, 60% of AWS IAM accounts, and 46% of Microsoft Entra ID applications were found to have access keys that are over a year old.

On average, nearly half of the companies (46%) have unmanaged accounts that possess long-term credentials.

Significant Risk

According to Andrew Krug, Head of Security Defense at Datadog, "the findings from the 2024 State of Cloud Security suggest that it is unrealistic to expect long-term credentials to be managed securely." Additionally, the report indicates that most cloud security incidents result from compromised credentials. To protect themselves, companies must secure identities using modern authentication mechanisms, leverage short-term credentials, and actively monitor changes in the APIs that attackers commonly exploit.

Krug argues that cloud credentials that never expire often leak alongside source code, container images, build logs, and application artifacts, granting malicious actors easy access to company assets. This issue could be relatively easily addressed through the use of biometric authentication, the implementation of zero-trust architectures, and the enhancement of logging and monitoring tools and mechanisms.

Despite passwords proving inadequate on multiple occasions, they remain the most widely used authentication method by most companies worldwide. Currently, most service providers, including industry giants, are actively promoting the use of access keys, biometric authentication, and the inclusion of multifactor authentication (MFA) as ways to strengthen what would otherwise be weak protection.