The news has been rife with incidents of password reuse being exploited by the bad guys. Just as recently as a few weeks ago, hackers obtained usernames and passwords leaked from other websites to access the accounts of GoToMyPC, Carbonite, and GitHub users (the list goes on). Even Facebook’s Chief Executive Officer was not immune and was the victim of a password reuse attack when his social media accounts were hacked. It’s little wonder that passwords are often considered the “weakest link” in the cyber security ecosystem.
Many times, threat actors gain access to these stolen credentials from , such as the large cache – 117 million – of LinkedIn usernames and passwords that were dumped online earlier in June. Since then, the LinkedIn breach has been blamed for several secondary breaches.
The growth of the Internet, social media, and eCommerce means that an individual could easily have five to seven online accounts, not including those used for business. Having to remember credentials to this many accounts makes it easy to see why it’s estimated that 50 percent of users use the same usernames and password across multiple sites. However, with stolen credentials being the number one attack vector for web applications in the past two years, individuals and businesses need to understand how password reuse has become an increasingly dangerous habit that they must break, inside and outside the office.
Stolen credentials easily available via data dumps allow hackers to do little work to get the information they need. Once a hacker successfully obtains a password, they can use it against any online account the user may have. In some instances, hackers can simply write a program that searches online to find the information they need to log into a user’s account. Often times, users are unknowingly facilitating this process by consistently using the same login name and password, as well as the same security questions and answers.
This is not to say hackers aren’t using other tools such as keyloggers or remote access Trojans (RAT) to gain illicit entry into accounts. Rather, they are jumping at the chance to leverage the path of least resistance, knowing that most users do not put much thought into their security preparations. According to one security vendor, “123456” and “12345” are among the most common passwords still be using around the world. These findings have been corroborated by other security companies’ findings as well. In fact, password reuse and simple passwords have become so widely used that Microsoft banned the use of common passwords that have appeared on breach lists. This change will apply to all Microsoft and Azure services (e.g., Xbox, Outlook) over the next few months.
Password reuse is not new and is an issue that security practitioners have been warning about for several years. But the reality is that people are going to generally favor convenience over security. Knowing this, there are several approaches that can help reduce the threats from data breaches that expose user credentials.
- Password Variety: As more and more massive breaches come to light, the importance of having a variety of complex and unique passwords for various online accounts is extremely important. However, password strength is just one step toward making hacker’s jobs harder. If you reuse that password for multiple accounts, it just takes one time for that password to be compromised to nullify the unique naming convention. That is why using multiple passwords is essential. The difficulty in remembering all of those passwords can be helped by use of a password manager, which come in either online or offline versions. Online versions are designed to automatically synchronize your passwords across different devices, where offline versions don’t offer that capability.
- Frequent Password Changing: People generally do not change their passwords unless a specific application requires them to do so or there has been a security breach. Individuals may be more amenable to changing their passwords if they become more disciplined and set a specific time period for doing so, such as on a quarterly basis. This will help make password management a regular practice in a user’s routine.
- Passphrases: Instead of using words, passphrases that incorporate capital/lower case alpha-numeric and special characters will help mitigate the threat of dictionary cracking programs. The longer the phrase, the more difficult a brute force password cracker will have at finding the password (ex: “I love the Yankees” can translate into “1 L0v3 Th3 [email protected]$.”).
- Password Padding: The practice of making your password longer, and therefore harder to breach, by adding extra characters to the beginning or end (or both!) of your password. Learn more about password padding.
- Multi-Factor Authentication (MFA): Regardless of the strength of your password, make your accounts more secure by adding extra layers of defense – MFA. MFA is a method of confirming a user’s identity by utilizing a combination of two or more different components, such as what a user knows (e.g., a password), something a user has (e.g., a token that is texted, e-mailed, or called to you), and something they are (e.g., fingerprint or other biometrics). If an authentication attempt is made with only one of these components, the identity is not properly established and access to the asset will not be authorized.
As massive data breaches lead to more credential compromises, Internet users need to become more security conscious, particularly with the abundance of security programs and guidelines that can now be leveraged. While we cannot stop hostile actors from trying to compromise our accounts and information, we can certainly make it more difficult for them to do so. Security is everyone’s responsibility. We must encourage users to break bad habits and stop reusing passwords as a first line of defense. We must not allow cyberspace to remain “the digital wild west,” or enable criminals to operate as if it is.
LookingGlass threat intelligence services and machine-readable threat intelligence (MRTI) can help discover and address security gaps around compromised credentials that you may or may not know is freely available for sale on the Internet.