Let’s Stop Focusing On The Wrong Password Problem
For years, experts have warned about the potentially catastrophic consequences of people establishing and utilizing “weak” passwords when securing access to sensitive systems. “Password,” “ABC123,” “1234567890,” and the like, as well as single words taken from the dictionary, are easily and quickly guessable by both criminals and automated hacking tools. Yet, such passwords proliferated, and created severe weaknesses in systems worldwide.
But, at least in theory, we know how to manage such problems: system managers can establish policies governing the nature of passwords – forcing people to use longer and/or more complex passwords. While doing so certainly increases the risk that people will improperly store such passwords on paper or on electronic devices, there are ways to minimize such risks, and, especially in the case of sensitive systems and data, the pros of strengthening passwords outweigh such cons. Combining strong passwords with multi-factor authentication when security is of paramount importance can also greatly improve defenses.
That said, one major weakness of passwords has remained effectively unaddressed – and its adverse effects are extremely clear from recent events: People reuse passwords, and do not change them on non-compromised systems after the identical passwords are breached elsewhere.
Such poor cyber-hygiene has already produced serious consequences. Accounts have been breached, and both money and sensitive data have been stolen, by criminals who simply feed lists of known compromised username-password combinations from one system to the authentication pages of other systems. (For a free tool to check if any username-password combinations on the system that you manage appear in databases of known breaches, please click here.)
In fact, just last month, within hours of the launch of the Disney+ video streaming service, criminals began selling stolen access credentials on the dark web; as, to date, no evidence has surfaced that Disney+ itself was hacked, it is believed that the pilfered credentials were obtained by criminals simply because they were reused username-password combinations leaked during other breaches.
Password reuse is a problem even on systems that sport multi-factor authentication capabilities. Not all users enable and take advantage of improved security features – and users who inappropriately reuse passwords tend to disproportionately fall into the group of people who do not. Also, compromised passwords can become vehicles for social engineering – criminals impersonating a technical support representative improve their odds of deceiving a would-be-victim if they provide the user with his or her password as “proof” that the call is from a legitimate representative of the firm in question.
There are, of course, situations in which password reuse is acceptable, such as between sites where security is of no concern to you, and you don’t mind creating a new account if your account were taken over. Examples of such sites include sites that require users to establish “accounts” solely in order to track people for marketing purposes, but, which protect no data that the user enters or controls. That said, any passwords reused on multiple such sites should be treated at all times as if they are compromised, and should NEVER be reused on any site protecting any data of value, and. And, if you are a system administrator who cares about account integrity and accurate tracking, it might still be worth checking user passwords on such a system against lists of known stolen passwords, and preventing the latter from being used.
In short, if you are not presently checking your system’s username-password combinations against lists of known stolen pairs, you likely suffer from the presence of accounts that are easily comprisable, or already compromised. And, unlike the problem of weak passwords that has been addressed en masse, the issue of password reuse remains nearly untouched outside of particularly-astute envrionments.
This article is sponsored by Specops, which offers a FREE password auditor that will warn you if people are re-using on your system any passwords that have been compromised in known breaches. To download the free tool, please visit: https://specopssoft.com/product/specops-password-auditor/