
Password reuse might seem like a small problem — a bad end-user habit that can be fixed with the right training. But this small act of convenience can have far-reaching consequences for an organization’s cybersecurity. When an end-user reuses a password across multiple accounts, it creates a golden opportunity for hackers to exploit.
Organizations might have strong password policies in place, but this can create a false sense of security if password reuse is rife. We’ll explore how this risk plays out, why it’s challenging to solve, and what IT teams can do to combat the problem.
How password reuse leads to breaches
Let’s say every end-user within your organization is prompted to create a strong 15-plus character passphrase made up of random words. You even check against a list of the most commonly used passwords. On the face of it, your Active Directory is full of strong passwords. The problems start when an end-user reuses this password on a less secure personal device, website, or application.
A hacker could breach the database of a website with poor security and access the passwords of every user. From there, they can try to find out where individuals are employed and access their work accounts. Attackers could also gain credentials through targeting individuals with social engineering attacks such as phishing.
Armed with the compromised password, hackers use automated tools to systematically try the stolen username and password combination on various websites and applications, including those associated with the target’s place of work. This puts an organization’s email accounts, internal systems, file repositories, or even administrative privileges at risk.
Once inside the organization’s network, the attacker can move laterally, exploring different systems and escalating their privileges. An attacker can access sensitive data, compromise additional accounts, install malware, or launch further attacks within the network. They could exfiltrate sensitive data, manipulate or delete information, disrupt operations, or hold the organization’s data hostage for ransom.
All from a reused password that was considered secure when created.
Why do people reuse passwords?
Password reuse is primarily driven by a desire for convenience rather than a deliberate desire to be reckless. End-users tend to choose passwords that are easy to remember and often recycle them across multiple accounts to avoid the hassle of managing numerous complex passwords.
It’s not surprising when we consider the increased burden on end-users to remember and manage multiple passwords.
People are overwhelmed by the sheer number of accounts and passwords they need to manage, and this fatigue leads to shortcuts such as password reuse.
Even if end-users are made aware of the risks through training, there’s often an attitude of ‘it won’t be me’ that encourages them to prioritize the convenience of reusing passwords. A recent Bitwarden survey revealed that a staggering 84% of people admit to using the same password across multiple accounts.
Changing this behavior requires more than end-user education and security awareness training – they need support from technology.
Solving the password reuse problem
Addressing the problem of password reuse requires a multi-faceted approach that combines end-user education, technical solutions, and organizational policies. It requires a shift in user behavior, improved awareness, and the adoption of secure authentication methods to reduce reliance on passwords.
There is a delicate balance between security and convenience. Organizations need to implement strong security measures to mitigate password reuse, but they must also consider the user experience and avoid creating excessive barriers that hinder productivity or frustrate users.
User education and awareness
Conduct regular cybersecurity training sessions to educate employees about the risks of password reuse and the importance of strong password hygiene. They need to understand that even strong, unique passwords can put your organization at risk.
Multi-factor authentication (MFA)
Set MFA up as an additional layer of security. By requiring users to provide multiple forms of authentication, such as a password and a unique code sent to their mobile device, it’s much harder for hackers to compromise an account. However, bear in mind that MFA is not infallible and can’t make up for weak passwords.
Password managers
Password managers securely store and generate complex passwords for different accounts, requiring an end user to only remember one master password. This eliminates the need to remember multiple passwords and reduces the temptation to reuse passwords. Of course, if an end user reuses their master password, that puts all their accounts at risk.
Continuous compromised password scanning
The best defense against password reuse is to implement a solution that continuously scans your Active Directory passwords against a comprehensive database of compromised passwords. Some solutions only check periodically at reset or expiration events, which can leave significant time windows where end users are working with compromised passwords.
source: BC
