A survey by Google identified that 65% of people use the same password for most of their accounts. Additionally, 30% of those passwords could be cracked within 10 guesses. Most people understand the risks of using the same password, but they do it anyway to make life easier. Some even write passwords down. Worse still, they do both!
Many data breaches are instigated with stolen credentials; where adversaries take compromised credentials and use automated bots that attempt to login to a wide range of applications and organisations. This attack is known as credential stuffing. Owing to COVID-19, organisations have been required to enable access to more internal corporate resources remotely than ever before. Corporate email addresses are further exposed when employees use them to register with 3rd party services i.e., MyFitnessPal, Instagram, etc. When these sites are hacked, credentials are often stolen and sold on the dark web. Hackers will attempt to use these credentials on other websites and corporate infrastructure to gain further access and seek more personal and corporate information. Whether using a weak or strong password across multiple sites, it brings similar security risks to organisations.
As always with security, defence in layers is key and most businesses will already have some of these controls established, but possibly not all. Ensuring an entirely different complex password is used for each service accessed will go a long way in securing one’s personal information and users will be less likely to use the same password across sites. Another control considered good practice is password rotation and preventing users from reusing previous passwords. Whilst the above are still useful as part of an overall security pattern, these should no longer be the only measures required. Reply recommends layering further security measures which provide necessary security for organisations, without sacrificing ease of use for their employees. These include:
As most companies adjusted overnight to working remotely, more security risks have surfaced. In addition to the ever-increasing capabilities the hacking community have access to, layered and modern security measures are required. Identity theft and fraud crimes are a rising threat against an organisation’s access control, therefore, securing user credentials is a vital step to protecting sensitive data. It is unrealistic to remember multiple long and complex passwords so security services such as MFA, SSO and Password Managers go a long way to clean up the mess and reduce the frustration, and human awareness is key to winning the battle.