Old and unused passwords are posing a major threat to businesses

(Image credit: reklamlar)

Experts have warned many businesses are safeguarding their cloud applications with passwords that are a year old, if not older, and some even have unused, ancient accounts that are still active, posing a worrying security risk.

In its State of Cloud Security 2024 report, Datadog notes that although it is often stressed businesses should refresh passwords (roughly once in three months is something of an industry-standard these days), it found 62% of Google Cloud service accounts, 60% of AWS IAM accounts, and 46% of Microsoft Entra ID applications, have access keys older than a year.

On average, almost half (46%) of businesses have unmanaged accounts with long-lived credentials.

Major risk

“The findings from the State of Cloud Security 2024 suggest it is unrealistic to expect that long-lived credentials can be securely managed,” said Andrew Krug, Head of Security Advocacy at Datadog. “In addition to long-lived credentials being a major risk, the report found that most cloud security incidents are caused by compromised credentials. To protect themselves, companies need to secure identities with modern authentication mechanisms, leverage short-lived credentials and actively monitor changes to APIs that attackers commonly use.”

Krug argues long-lived cloud credentials, which never expire, are often leaked with source code, container images, build logs, and application artifacts. As such, they grant treat actors easy access to company assets. The problem could be solved relatively easily by pivoting towards biometric authentication, zero-trust architecture, and upgrading the logging and monitoring tools and mechanisms.

Passwords are still the number one authentication method for the majority of businesses around the world, despite it being proven as inadequate time and time again. These days most service providers, including the giants of the industry, are actively promoting passkeys, biometric authentication, and the inclusion of multi-factor authentication (MFA) as means of reinforcing what would otherwise be weak protection.

More from TechRadar Pro

The rise of identity-related cyberattacks: costs, challenges and the role of AI
Here's a list of the best firewalls today
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.