Oct 11, 2023— Source: The Hacker News
Passwords are at the core of securing access to an organization's data. However, they also come with security vulnerabilities that stem from their inconvenience. With a growing list of credentials to keep track of, the average end-user can default to shortcuts. Instead of creating a strong and unique password for each account, they resort to easy-to-remember passwords, or use the same password for every account and application.
Password reuse is both common and risky. 65% of users admit to reusing their credentials across multiple sites. Another analysis of identity exposures among employees of Fortune 1000 companies found a 64% password reuse rate for exposed credentials. Pair these findings with the fact that a vast majority (80%) of all data breaches are sourced from lost or stolen passwords, and we have a serious problem. In short, a breached password from one system can be used to compromise another. So, what does this all mean for your organization?
The real risk of password reuse
Password reuse is far more consequential for business accounts than personal accounts. If an employee's reused credentials get compromised, even for a simple productivity tool, a cybercriminal could easily test it against other applications and systems that could grant them access to sensitive data like customer information, company trade secrets. They could also halt operations by deploying ransomware throughout the network — putting even more IT resources at risk.
Unfortunately, many organizations lack a comprehensive system to prevent password reuse, like blocking the use of weak, breached, or high-probability passwords. Often times, action is not taken until it is too late.
Mitigating the security implications of password reuse
End-users are not likely to implement password best practices on their own. For the sake of convenience, they will:
Use common character composition patterns
Reuse the same password across multiple accounts (even across personal and work)
Continue to use compromised passwords unless they are forced to change them
Each of the above puts your organization in a vulnerable position. You must implement security tools and policies that solve the password reuse problem. Unfortunately, the most common solution still leaves us vulnerable.
Multi-factor authentication is not enough
Multi-factor authentication (MFA) adds a security layer by requiring users to submit an additional verification method like a PIN or push notification. It can help secure an account despite a password compromise due to that extra factor required.
The problem: MFA is a great way to add security to protect end-users. But there are still many ways attackers can bypass authentication methods, especially if they already have the user's password.