2025-08-05 –, Tuscany
If a user account falls down in a forest, and it isn’t managed by the organization’s identity security policy, is its password still secure?
While there is ample discussion and research on organizational security policies and password governance of corporate accounts, the emergence of the ‘SaaS economy’ has led to a rise in non-corporate and non-SSO identities that are not covered by corporate IdPs.
These identities are often hidden from organizational security systems, and fall outside of the purview of organizational password policies and identity security posture. As a consequence, they are left exposed to attack and easy exploitation, even though they are often used for work activity and handle sensitive corporate information.
This talk will dive into the world of ‘hidden’ identities of non-corporate and non-SSO identities and analyze the implications with regard to password security and exploitation. We’ll define these identities, quantify them, and dive into specific risks such as password strength, password re-use, and password sharing, and offer methods and best practices on how to secure them.
This talk is based on research conducted by LayerX Security on its customer base, analyzing the identity and password security practices of end users for both corporate and non-corporate accounts.
Some of the parameters for which we have metrics include:
• Password strength (for both corporate and non-corporate accounts)
• Usage patterns (of corporate vs. non-corporate account activity on SaaS apps)
• Details of password re-use and cross-account password sharing
• Account sharing between users
• Usage patterns of SSO on corporate accounts (and SaaS applications)
• Analysis of user password exposure based on public data breach databases
• And more
Some key highlights from the research:
• Corporate Passwords are Just as Weak as Personal Passwords: Over 54% of corporate passwords are classified as medium strength or below, meaning modern password-cracking tools and hardware could easily break them. This is remarkably close to the percentage of risky non-corporate passwords, where 58% of personal passwords were medium-strength or below.
• Enterprises Are Blind to Most Identity Usage: Over 40% of SaaS applications in organizational networks are accessed via personal credentials. Moreover, over two-thirds of corporate login events are done without SSO. Together, they account for over 80% of SaaS activity on corporate networks and endpoints. This means security and IT teams are blind to usage of these accounts, and have little-to-no visibility and control over their activities, security controls (such as password security policies) or where they are used.
• Just 2% of Users Are Organizations’ Biggest Security Risk: These are users who have a history of exposure that includes exposed passwords, do not use SSO-backed passwords, and have weak passwords that can be easily cracked. If cybersecurity is all about risk management, these users are the biggest risk you should worry about.
• Browser Extensions are a Significant Threat to Users’ Identity: 66.6% of extensions have ‘high’ or ‘critical’ -level permissions and 40% of users have such extensions installed. 13% of extensions have access to users’ cookies, meaning they could potentially use those cookies and access tokens to steal corporate identities
In this talk, we’ll cover the research in detail to provide a strong empirical foundation and then use it to identify key password risks in the new ‘SaaS’ economy and offer actionable best practices and guidelines to address these gaps.
Or Eshed is co-founder and CEO of LayerX Security. Or has over 15 years of cybersecurity experience sa an ML developer, security and intelligence researcher, and cybersecurity analyst. Prior to founding LayerX, Or worked as a cyber threat intelligence analyst at Check Point, Otorio, and ABN AMRO Bank. His work has led to the arrest of at least 15 threat actors and the exposure of the largest browser hijacking operation in history with over 50M browsers compromised. He has also written and spoken on topics of cybersecurity extensively. In addition, Or holds an MSc in Applied Economics from the Hebrew University of Jerusalem.