image credit: Unsplash

Is Password Reuse Putting Your Business At Risk?

June 15, 2020


Every day, 99% of professionals choose convenience at the expense of their enterprise security by reusing passwords—either across work accounts or, even more alarmingly, between work and personal accounts.

Taking comfort in password-protected entry points may cause any business to unexpectedly lapse into a security crisis. Industry experts point out that “passwords are now the weakest defense anyone can rely on.” The companies that are currently reliant on password-based authentication controls generally agree with this statement—based on Enterprise Management Associates’ survey:

“90% of respondents have experienced significant password policy violations in [recent years]. The most frequently reported [issue] was that identical passwords are being used to support multiple accounts (39.06%).”

Why aren’t industry players skeptical of reusing passwords when this practice has already compromised 44 million accounts?

Research reveals that employees reuse passwords in order to perform their jobs more efficiently. Their reasoning? Human cognition is part of the problem. When organizational policies require long and complex identification codes, generating easy-to-remember passwords—and frequently reusing them—is the preferred option for improving workplace productivity.

Such efficiency, however, comes at a hefty price.

The Cost of Reused Passwords

81% of breaches are caused by weak, stolen, or reused passwords—and when attackers exfiltrate hundreds of millions of customer records, a company can spend (at least!) $1.4 billion on cleanup costs.

A case in point is the Equifax breach. After hackers reportedly stole the personal information of 147.7 million Americans—nearly half the US population—from Equifax’s servers, the CEO of this credit reporting agency stepped down. It happened three weeks after Equifax publicly disclosed the massive breach. Two years later, the agency was still paying the price of the data breach and spent:

  • $1.38 billion to resolve consumer claims
  • $125 million for cash compensation
  • $1 billion to improve its data security

After a class-action lawsuit revealed that Equifax’s internal standards facilitated the data breach, the agency’s security practices were subject to controversy; and for a good reason. As it turns out, the accounts were protected by the same username and password—the generic ‘admin.’

“We highlighted a security practice which, perhaps, was indicative of the overall data care that led to the breach in the US.”

Alex Holden, Hold Security’s Chief Information Security Officer

A look back at the TurboTax breach strengthens the evidence that password reuse is a serious security vulnerability. In this case, the account hijacks stemmed from credential stuffing—a practice that is only effective if the same password is being used to secure multiple accounts:

“Any clients who reused their usernames and passwords from a previously breached site accidentally handed access to their TurboTax accounts—and therefore, their tax returns and complete identities—to the hackers.”

Every reused password is a lucrative target for hackers. TurboTax may have temporarily disabled the breached accounts, but the damage is difficult to undo as the cost of a breach goes beyond monetary loss. It also affects corporate reputation and leads to customer loss.

Take Charge of Your Company’s Password Hygiene

Organizations are justifiably champing at the bit to avoid reusing passwords; and yet, using unique credentials for each website is just the first step towards bolstering your company’s security practices.

To practice strong security at all times and mitigate risk, it’s important to:

  1. Use Two-Factor Authentication

Turning two-factor authentication (2FA) on for a higher level of enterprise security is strongly recommended by cybersecurity professionals.

In essence, 2FA is a dual-factor authentication process that adds an extra step to your log-in process—and thanks to, it’s remarkably easy to find out which app currently supports 2FA.

Once you set up 2FA on your accounts, you will be required to:

  • Enter your username and a password
  • Provide another piece of information (e.g. a personal identification number, a small hardware token, or an iris scan)

As experts note, this “[makes] it harder for attackers to gain access to a person’s devices or online accounts because knowing the victim’s password alone is not enough to pass the authentication check.”

  1. Give Passphrases a Try

A passphrase—or, to be more precise, a sentence-like string of upper case letters, lower case letters, digits, and punctuation characters—is arguably much stronger than a regular password. Perhaps most importantly, passphrases are:

  • Easier to remember
  • Next to impossible to crack

Make no mistake, though: “an attacker with sufficient privileges can easily fool a system,” experts warn. To swing the outcome, “a good passphrase should have at least 15, preferably 20 characters, and be difficult to guess.”

Avoid Password Reuse to Safeguard Your Business

Passwords aren’t future-proof. Too often, they’re easily crackable—and when they’re being reused across multiple accounts, passwords tremendously increase the risk of intrusion.

However, not all is lost.

Organizations going to great lengths to keep password reuse under control will routinely secure their assets against cyber threats.