Zane Bond, Senior Director, Product Management at Keeper Security explores…
We all agree that Global Recycling Day is a much-needed moment to celebrate the importance of being a little more environmentally conscious and thinking about what we throw away and what we can reuse. Recycling is an important part of the global economy and does a great job of protecting our natural resources. The “seventh resource” – recyclables – saves over 700 million tons of CO2 emissions every year and this number is projected to increase to 1 billion tons by 2030.
From a technological point of view, it is also incredibly important to reuse. We recycle hardware and can even recycle hard drive space or data storage. So share and reuse what we can. It’s a great way to be efficient while also being incredibly cost-effective. But not all recycling is good. A big problem we continue to see in the cybersecurity world is password recycling and reuse.
Password reuse is one of the biggest password mistakes and a major reason companies continue to educate their employees about good password hygiene.
But why do people do this?
One of the main reasons is that the cognitive burden of remembering 300 different passwords is impractical and not everyone has a vault to generate strong passwords for them. In addition, many people can often underestimate the dangers of violating it. As we’ve seen over the past twelve to eighteen months, every industry is a potential target.
We’ve seen high street retailers breached to gas pipelines – cyber threats are ubiquitous, but we still see people not taking them seriously. Another reason is that people often think it’s better to have a password that’s easy to remember than one that’s hard to crack.
Cyber criminals know that password reuse is rampant. So when they get a working account password, they try to use it on dozens, maybe hundreds, of different websites. Therefore, if a password is broken, cyber criminals can use it to gain access to all accounts associated with it.
This is known as credential stuffing. A cybercriminal uses a range of credentials to attempt to gain access to multiple accounts at the same time, and with nearly two-thirds of internet users reusing their passwords, you can see why this is such a devastating attack. Cyber criminals enter the stolen credentials into thousands of websites in minutes to hours, compromising everything from social media accounts to proprietary enterprise software and beyond.
So what can organizations do?
The first thing is to use an enterprise password management (EPM) system, which will ensure its EPM performs device checks before allowing employees to log in. If the device or IP address has not previously been registered with a user account, the registration can be stopped. Additionally, it is important that a modern authentication system prevents enumeration attacks, in which threat actors use automation to “iterate” numeric or alphanumeric sequences to determine the existence of an account.
In addition to device verification, 2-factor authentication (2FA) is a good security measure. Enforcing 2FA before Master Password attempts adds a layer of protection against brute force and credential stuffing attacks on a user’s vault, even if the device verification step passes.
The best EPM platforms can check and report weak and reused passwords. Some even warn when a password is found on the Dark Web so the user can quickly replace it with a new one.
Finally, continue to educate users about good password hygiene. Make sure everyone in the organization understands the dangers and risks of a password breach and what it could mean not only for them personally but for the organization as a whole.
https://techround.co.uk/news/the-dangers-of-recycling-passwords/?utm_source=rss&utm_medium=rss&utm_campaign=the-dangers-of-recycling-passwords The dangers of recycling passwords