Authentication

Unused Credentials Found

Risk Level

Informational (4)

Platform(s)

About Unused Credentials

Companies are implementing the zero-trust security model to secure distributed IT architectures. Zero trust assumes that no user or device (inside or outside the organization) is to be trusted. A primary tenet of zero trust is to revoke access privileges when they are no longer required.

“Unused” credentials can be defined as access keys and passwords that haven’t been used in a certain time period. The exact time period may differ based on company policy, but it shouldn’t be greater than 90 days.

Cloud Risk Description

Unused user passwords typically belong to people who are no longer employed by the organization or who no longer require access to a resource. Allowing these passwords to remain in effect enables users to illegitimately access company resources.

In addition to allowing unauthorized access, unused credentials are often at the heart of credential stuffing attacks. In such attacks, cybercriminals use leaked or stolen credentials of one website to log in to other websites. Since it’s common for people to use the same password or variations thereof for multiple accounts and websites, these attacks often succeed. If another company suffers a data breach and the stolen credentials include those of a former or current employee whose access hasn’t been properly deprovisioned, your system can be at risk of being compromised.

How Does Orca Help?

Orca employs multiple methods to identify poor password hygiene, including commonly used passwords, complex passwords that are reused across multiple applications and services, and highly secure passwords that have been leaked. Orca ensures password policy settings in your cloud meet industry guidelines around the use of MFA, minimum password length, use of special characters, password age, password reuse, and more.

Orca looks for unused credentials and will alert on this type of issue as shown in the screenshot above.

Real-World Incidents

Orca

Orca Security, the cloud security innovation leader, provides cloud-wide, workload-deep security and compliance for AWS, Azure, and GCP - without the gaps in coverage, alert fatigue, and operational costs of agents.