Anton Mobley, data scientist at GE Healthcare

Major breaches causing huge financial and brand damage have occurred in recent years. The attackers are varied, including hacktivists, nation‐states, and cyber criminals. The targets and data types breached include Target and Home Depot (personal credit information), Anthem/Wellpoint (personal health information), the US Office of Personnel Management, Booz Allen Hamilton and HBGary (military and intelligence information), and Ashley Madison and Adult Friend Finder (private information). Malware and phishing attacks are typically the focus of cybersecurity professionals, but these breaches pose a secondary risk to enterprises due to credential loss. The credential databases from these breaches often find themselves posted on hacker forums, TOR, and torrents.

Using the 2013 Adobe breach as a case study, enterprise exposure can be modeled as a function of enterprise size and password policy. In October 2013⁴ Adobe announced that hackers had stolen source code for major Adobe products and customer credentials for over 153 million users. The credential database became very easily accessible. Some amount of users in the dataset are likely made up or missing passwords, but the dataset was still one of the largest known credential dumps to date.

The database contained email addresses, encrypted passwords, and a cleartext password hint if the user chose to use one. Note that the passwords were not hashed or salted; they ...