Want to Buy a Corporate Password? Ask a Current Employee

Passwords these days are a tricky thing. Sometimes passwords just aren't strong enough, and it can be difficult to keep track of all the various passwords used and when these should be changed. But there aren't many out there who'd be willing to sell an email password to a potential bad actor, at least, until the issue of work passwords comes up. Then it becomes of a different animal, and one that may pose a big problem for companies.

SailPoint recently commissioned a survey which discovered some grave news: one in seven employees in the study would be prepared to sell a corporate password for as little as $150. This wasn't universal, though; back in 2012, some reports suggested that half of U.K. employees surveyed were ready to sell passwords for as little as $7.46 (five pounds sterling), and 30 percent would have offered up a password for just $1.49. Some studies actually found that, even if there was no cash on hand, some employees would actually give up a password for a candy bar.

Of course, there's some doubt over whether the problem is quite so widespread due to the nature of the testing. The surveys tend to use people who self-select for participation, so it's not exactly representative, according to Christopher Frenz, New York City College of Technology faculty member. Frenz even wondered if the person in question was selling actual passwords in the first place, or just a made-up string of numbers, letters, and characters to get the free candy.

Still, while there's some doubt on the percentages, any number there would likely be too high, and that's got some companies wondering just what to do about the issue of insider attacks. That's where CyberSponse's CEO Joseph Loomis offers a rhetorical question that illustrates the issue well: “How many employees do you know who truly care about the organization where they work?” But that's not the only potential response here; Nok Nok Labs' founder Ramesh Kesanupalli suggests that the issue is even having passwords in the first place as opposed to biometric identification or similar tools.

The idea that disgruntled employees somewhere might use selling a password as a way to get back at a business that mistreated them is reasonable enough. Employees might even believe it'd be impossible to prove that they were even involved; passwords, after all, are hacked every day. Some recommend pointing out that it's not just the business' data at stake here, but things like customer data and even personal payroll data as well. Others suggest that enterprises need to offer more incentives so as to take away the motives of selling a password in the first place.

Regardless, this likely isn't an approach that many companies have considered; the idea that there are several—or even several thousand—keys to the system floating around out there is one that would leave many cold. But revoking those keys can destroy the system's ability to operate, and thus, make money. There are several potential solutions here, though, and putting the right one to work can mean the difference between a safe, operating business and a hacker target.