Password reuse defeats the purpose of passwords
When a person reuses the same password across multiple accounts, one account’s exposure puts all the others at risk. To prevent this, cybersecurity awareness programs must emphasize the importance of passwords: how to create them, use them, and how to use a password manager.
There are four forms of password reuse and they all are bad
The first and easiest to prevent is the use of the same password on the same account. For example, if my username is michael.schenck, my password is Football123, and the system prompts me to change my password but lets me use Football123 again – then I’m reusing an old password. This is a problem because old password databases may have been stolen and cracked, in which case the Football123 password could be compromised. In this scenario, the credentials (which a hacker now has access to) will still work today. Remember, the internet never forgets.
The most common form of password reuse is the use of the same password and email/account name for multiple sites and services (e.g., using Football123 as the password for your email, Netflix, bank, and personal Microsoft account). If one account is hacked, you must assume all are hacked. This can be especially messy since the average business employee must keep track of 191 passwords and changing all 191 would take several days.
A related form of password reuse blends the last two together – reusing the same password across accounts with different usernames. Most workplace IT configurations won’t let users reuse passwords. However, when an employee changes companies, their former employer’s password history controls no longer apply. This allows older passwords to be used at a new job. This, too, is a bad practice. As the databases of passwords on the dark web and open-source intelligence sources continue to grow, it becomes easier for a hacker to link a password to a person – regardless of the account username or the company they work for.
The last form of password reuse is the use of a common password. Every year numerous publications list the top 10, 20, 100 passwords used in the previous year. For example, in 2020 more than 2.5 million people used the password “123456.” Lists of popular passwords are used by hackers to script – or brute-force – logins to gain access. If you use any of these common passwords, it won’t be long until you get hacked.
How do we stop this?
Thankfully, there are solutions to this problem that also account for our human limitations. Multifactor authentication (MFA), cybersecurity education, password manager programs, proper configuration and enhanced password screening tools all help mitigate the bad habits that plague our digital lives. On their own or in combination, these solutions reduce the attack surface by which our protected information can be accessed by unauthorized users.
Password policy enforcement
Your business’ IT staff can easily enforce protections against password reuse. Through a built-in security solution or add-ons, IT departments can prohibit previously used password history within the same environment. The appropriate add-ons can block the use of common passwords and those leaked on the dark web or an open-source intelligence platform.
Many accounts and sites are allowing integration with third-party authentication platforms. You may already use a third-party authentication platform and not realize it. For example, do you log into LinkedIn through your Gmail account? Similar technology exists for business accounts, allowing you to use the same account for logging into your computer and into Salesforce. Embracing this technology helps you lower the risk of password reuse by limiting the number of accounts needed to get through the day.
One of the easiest ways to handle your 191 or so unique passwords is to eliminate the need to remember them all. A password manager is software or a web service that requires MFA to access and stores your passwords in an encrypted format. It also notes the sites to which the account information corresponds. Many top password managers can also generate unique passwords and automatically change passwords for you.
Training people to create effective and strong passwords that are easy to remember and hard to guess is an essential element of any security awareness program. A trained user is less likely to use old or compromised passwords in the first place.
MFA typically starts with a username and password and imposes the additional requirement of entering a one-time token code (delivered via app or SMS message), or a biometric scan (e.g., of a fingerprint).
MFA enables access that is dependent on a combination of factors that may include something you know (your log-in credentials), something you have (phone, app, smartcard or one-time passcode fob), and something you are (fingerprint, retina, face or iris patterns). Some of these solutions are more secure than others, but all reduce the likelihood of unauthorized access.
Password reuse is a significant cybersecurity problem, but it doesn’t have to be. While we’re limited in our ability to remember passwords and their quantity continues to explode, we can take simple steps to safeguard our privileged information.
Through proper implementation of authentication management solutions, employee training, and effective tools such as MFA and password managers, you can ensure your passwords are not the biggest threat to your security posture. Talk to your IT department and ask what else they can do for password security and management.