The password reuse problem is a ticking time bomb
Despite Bill Gates predicting the demise of passwords back in 2004, they are still very much in use. Passwords, like email, seem future proof; but they are also the source of many cybersecurity problems. Key drivers of these issues are human behavior and the desire for convenience, which results in password reuse across multiple accounts.
The 2018 Global Password Security Report shows a staggering 50 percent of users use the same passwords for their personal and work accounts. A 2019 online security survey by Google identified that 65 percent of people use the same password for multiple or all accounts. These statistics validate the magnitude of the password reuse problem and organizations need to take action to mitigate the accompanying risk.
In the first six months of 2019, data breaches exposed 4.1 billion records and, according to the 2018 Verizon Data Breach Incident Report, compromised passwords are responsible for 81% of hacking-related breaches. The latest data from Akamai states that businesses are losing $4m on average each year due to credential stuffing attacks, which are executed by using leaked and exposed passwords and credentials. Organizations can’t afford to ignore this growing problem and need to take steps to mitigate the risks from poor password hygiene.
Humans are at the center of the password reuse problem
Password reuse is an understandable human behavior, but organizations need to make good password hygiene a priority to ensure that passwords are not a weak link in their security posture. Every user, system, application, service, router, switch, and IP camera should have a unique, strong password.
There are three key steps that organizations should take to strengthen their defenses:
1. Prevent the use of weak, similar or old passwords
Make sure users select strong passwords that are not vulnerable to any dictionary attack. It’s critical that new passwords are significantly different from the last one and that you prohibit too many consecutive identical characters. You should also prevent the reuse of old passwords. Fuzzy-matching is a crucial tool for detecting the use of “bad” password patterns, as it checks for multiple variants of the password (upper-lower-case variants, reversed passwords, etc.)
2. End mandatory password resets: They don’t improve security
Organizations have historically addressed the threat from compromised passwords by enforcing password resets. However, this policy has proven to be ineffective as it does nothing to ensure that the new password is strong and has not already been exposed. It can also drive up operational costs and have a negative impact on employee and user productivity. Microsoft and NIST guidelines advise against this approach.
3. Check credentials continuously
NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis. As the number of compromised credentials expands continuously, checking passwords against a dynamic database rather than a static list is critical. If a compromise is detected, it’s vital to perform a password reset or prompt users to create a new password the next time they login.
Passwords are here to stay and organizations need to rethink their password-hardening strategy as we move into the next decade. They need to stop looking at it as a compliance task and start looking at it as a layer of protection. By adhering to the recommendations outlined above, organizations can reduce the risks from poor password hygiene, including password reuse.