Password Reuse: Understand the Risks of this Practice
Password reuse is one of the main reasons why passwords have been questioned as an effective measure to guarantee protection against intrusion into accounts and systems.
This practice is extremely risky as it allows a malicious agent to have access to numerous accounts with a single string of characters, being able to steal confidential and valuable data, in addition to extorting a common user.
This type of problem can be especially devastating for organizations, which deal with a variety of information every day and can respond to legal proceedings if they do not comply with legislation such as the LGPD, which determines how the personal data of their customers, employees, and suppliers should be handled.
Check out some alarming statistics on password reuse:
- According to a survey carried out by Google, at least 65% of people have the habit of using the same password for different services;
- According to information provided by Microsoft, 44 million is the number of accounts vulnerable to hacking due to theft and compromise of passwords;
- 76% of millennials put their accounts at risk through password reuse, according to Security.org;
- The Verizon Data Breach Investigations Report points out that password reuse is the reason behind 81% of hacking attacks.
In this article, we show you what you need to know about password reuse. Our content covers the following topics:
- Why is the Habit of Reusing Passwords so Common?
- Password Reuse: What is the Problem with this Practice?
- What Are the Most Common Types of Password-Related Attacks?
- Three Tips for Having Strong Passwords and Managing Them Securely
- Multifactor Authentication and Two-Step Verification: How Important Are They?
Read it until the end!
Why is the Habit of Reusing Passwords so Common?
People daily connect to different websites, services, and social media that require passwords to access them. The main problem is that it is difficult to memorize dozens of passwords, especially complex ones, which are the most suitable for guaranteeing the cybersecurity of people and organizations.
Thus, it is common for people to use the same password on all their accounts, or to make small changes to differentiate the codes to be used.
But don’t worry: in the next topics, we will bring solutions to this problem, such as password managers and multifactor authentication.
Password Reuse: What is the Problem with this Practice?
Password reuse is a risky practice for many reasons. Here are some problems caused by this habit:
Multiple Accounts Can Be Compromised
Reusing passwords makes it possible for a malicious agent to hack into an account to have access to others belonging to the same user. And the more a password is reused, the greater the risk of having the credentials breached.
In 2021, Facebook suffered a hack, which affected about 20% of its accounts, leaking data from 533 million people. This means that if your bank password is the same used on this social network, for example, it will also become vulnerable.
It Puts Corporate Accounts at Risk
When an employee has no real sense of how much a cyber-invasion can harm the company they work for and how password reuse is associated with it, the organization is at serious risk.
This is because in addition to stealing personal data from this professional, malicious agents are able to gain access to the company’s accounts, causing great inconvenience, losses, and compromising business continuity.
For this reason, we always recommend that organizations promote cyber awareness among their employees and train them to deal with threats. One of the mandatory subjects in these pieces of training is precisely the risks involved in password reuse.
Accounts become more vulnerable to brute force attacks and password cracking, and the more credentials a malicious actor has access to, the greater their power when it comes to brute force techniques.
And with more and more people trying to protect their accounts with weak and repeated passwords, it has become easier for hackers to gain access through brute force.
Also, with each intrusion, they expand their database, as they increasingly identify complex passwords they can use in future attacks.
The Consequences of Phishing Attacks Are More Severe
Phishing attacks are a means used by hackers to gain access to people’s data. Generally, it works like this: attackers send an alert pretending to be a trusted institution, and asking for important information, such as credit card details, full name, date of birth, and passwords.
This message can come in several ways, including an email in which the user is instructed to access a fake website and enter the requested information.
The victim can be instructed to update their data with the explanation that the account would have been accessed through a suspicious login, and follow the guidelines because trusts the institution associated with the message received.
Therefore, it is possible to say that password reuse can aggravate the consequences of phishing attacks, since the user will have more accounts exposed.
Are you enjoying this post? Join our Newsletter!
Newsletter Blog EN
What Are the Most Common Types of Password-Related Attacks?
Cybercriminals can carry out different types of attacks, taking advantage of the vulnerability generated by password reuse. Here are the most common ones:
Credential Stuffing: Cybercriminals use an extensive list of usernames and passwords to carry out this type of attack, testing combinations until they manage to break into a system.
These lists can be purchased on the dark web, but they do not always contain the data of the institution targeted by hackers.
Dictionary Attacks: A dictionary attack works similarly to credential stuffing, except attackers use common emails and popular passwords like 123456 until they find a combination that works.
Password Spraying: In this case, common logins and passwords are also tested. However, the same password can be tested for multiple email addresses, making it possible for websites not to recognize any suspicious actions.
Three Tips for Having Strong Passwords and Managing Them Securely
Now that you know the risks generated by password reuse, let’s share three tips for having strong passwords and managing them securely:
Use a Password Manager
Remembering multiple passwords is a burden for people. For this reason, we recommend using a password manager.
This feature makes it possible to generate secure passwords and store them. Just create an account and a strong password that should protect all others. This manager can be installed on all your devices so that you can have access to your passwords no matter where you are.
Best of all, with a password manager remembering your password for you, it is no longer necessary to use strings of easy-to-guess numbers or letters, making it harder for cybercriminals to succeed.
If that still does not convince you, check out this data: according to a 2015 Dashlane survey, people maintain around 90 accounts online. However, we know it is unlikely someone would use 90 different email addresses to access their accounts.
This means each user has between five and ten email addresses associated with at least nine accounts. Imagine the consequences of reusing passwords with these numbers!
Use Suggested Passwords
Many services such as LinkedIn and Google require you to use strong passwords to access your accounts. They determine the number of characters to use and require special characters. Some suggest passwords to the user, as is the case with WordPress. Use these services to your advantage and follow the instructions on those platforms.
Create Unique Passwords
If you do not use a password manager, this tip is important to protect your accounts. Create unique passwords for each service instead of reusing passwords. But make sure that the access you choose is in fact unique and not a variant of another password.
Some extra guidelines when creating a strong and secure password are:
- Prefer long sentences over one or two short words;
- Add numbers and special characters;
- Do not make use of widely known terms;
- Phrases that you say frequently should not be used either;
- Do not use your data that may have been mentioned in CVs, social media profiles, or surveys;
- Never share your passwords;
- Do not write down your passwords on papers that may be visible to others.
Multifactor Authentication and Two-Step Verification: How Important Are They?
In addition to password reuse, easy-to-remember passwords also impact cybersecurity. To combat the vulnerability generated by the combination of these two situations, we recommend using one of these two features: two-factor authentication (2FA) also known as two-step verification, or multifactor authentication (MFA).
Both require the user to go through more than one step to complete their authentication and be granted access to a certain system.
The difference between them is that the first requires the same method to be used, more than once, such as a security code and a password, two data that the user knows. MFA, in turn, consists of a system that requires the use of at least two different identification factors to access an account. These are:
- Knowledge factor: Something the user knows, such as passwords and codes;
- Possession factor: Something they have access to, such as a token; and/or
- Inheritance factor: Something related to their physical features, such as voice recognition, facial recognition, or fingerprints (biometrics).
By reading this article, you have understood the problems that password reuse can cause and how to avoid this kind of inconvenience. Share our text with someone else who might be interested in this topic.
ALSO READ IN SENHASEGURA’S BLOG
Why Have Attacks on Healthcare Organizations Increased?
High Availability: Technology that Guarantees Productivity and Credibility
ISO 27001: 4 Reasons to Implement It in Your Company