What’s Wrong With Password Reuse?

Corry

Marketing Manager

Passwords are everywhere in 2020. Passwords are required for almost every online service, most mobile apps, and certainly every application and system trying to protect sensitive data. Phones, computers, smartwatches, and even some household appliances now have passwords. It can be overwhelming.

Stolen or discovered passwords are also, unfortunately, a commodity among hackers and malicious actors. Lists of stolen or hacked passwords are used as a tool to break into other, unrelated systems. This is because of a technique known as ‘credential stuffing.’

Credential stuffing is the process of taking a password that works or worked in one system and trying to use it somewhere else. It’s effective more than ever now because of the myriad of passwords that people have to use on a daily basis, coupled with the notion that people are generally pretty bad at remembering lots of different passwords. This combination results in people using one password across multiple systems, or perhaps slight variations of the same password.

Reusing the same password across multiple systems opens the possibility for all those accounts to be easily hacked if just one of them has a password leak or breach. The window for opportunity can be exasperated due to the nature of breaches and data leaks not being known or made public for a long time, or from a lag of even discovering the breach or leak.

Two-factor authentication, or multi-factor authentication, can help prevent account takeover if credential stuffing is successful. Systems with CAPTCHA safeguards can also help slow or stop automated attacks used with credential stuffing. But the best defense for credential stuffing is to never reuse passwords – unique credentials for each and every system is the best. According to Google in 2019, 65% of people reuse some or all of their passwords, and only 24% use a password manager.

Password manager programs like KeePass, LastPass, 1Password, Dashlane, and others help securely store all passwords, unlocked by one master password that the user has to remember. Almost all password managers have features like encrypted password storage, truly random means of generating complex passwords, and more.

Registry Partners sets up a password manager for each and every employee, as it’s so critical for keeping accounts secure. The small learning curve for use of a password manager program is time well spent in making sure unique passwords are used for all accounts, as well as being random and complex.

Graphic by nadia_bormotova on iStock