Every day, malicious cyber-actors compromise websites and post lists of usernames, email addresses and passwords online. While this can be embarrassing, such as when thousands of email addresses and passwords were exposed during the recent Ashley Madison breach, it also leaves users open to follow-on potential attacks due to password reuse.
Password reuse occurs when someone reuses the same password on multiple websites or accounts. This is a vulnerability when the password is exposed in coordination with other information that identifies who is using the password, such as first and last names, login names, or email addresses.
How Password Reuse Is a Threat
Password reuse is a threat because malicious actors can take advantage of a reused password, if there is other associated information that identifies you. This typically occurs through one of two potential scenarios.
In the first scenario, the malicious actors can search for other accounts you use and try to login with the same password. In some cases, the actors might try to find personal accounts, such as Facebook, or banking websites. If they can identify those accounts, and you reuse your password, they can login as you. In other instances, the malicious actors may try to determine where you are employed and attempt to use for remote access, such as through a remote email or timecard access.
A second scenario involving a malicious website is less common; however, still poses a threat. In this scenario, the malicious cyber-actor sets up a website that spoofs a legitimate website, which requests that you enter an email address, password, and potentially other information to gain access. Once you have done that, they know who you are and can search for your other accounts where you used the same password.
Avoid Password Reuse
Avoiding password reuse can be challenging because of the number of websites and accounts that require passwords, some of which require updating your password every 30 to 90 days.
There are two ways to avoid password reuse and to ensure any password meets the recommended password complexity requirements.
The first technique is to use a password manager to remember each unique password.
Password managers are applications that can be stored on a computer, smartphone, or in the cloud, and can securely track passwords and where they are used. Most password managers can also generate complex random passwords for each account, if you choose to do so. As long as the password to access the password manager is sufficiently complex, this technique can be effective. However, if the company running the password manager is compromised (which can happen), it is possible that all your passwords will also be compromised. If you choose a password manager that is local to your computer or smartphone, that information may be compromised if malware gets on your computer or you lose your smartphone. When choosing a password manger, ensure it is from a known trustworthy company.
Create a ‘Strong’ Password
The second technique is to choose a repeatable pattern for your password, such as choosing a sentence that incorporates something unique about the website or account, and then using the first letter of each word as your password.
For example, the sentence: “This is my September password for the Center for Internet Security website.” would become “TimSp4tCfISw.” Since a strong password is complex and includes at least 10 characters that include upper and lower case letters, numbers and a symbol, this password keeps the capitalization within the sentence, translates the word “for” to the number “4” and adds the period to include a symbol in the password. The vulnerability in this technique is that if multiple passwords from the same user are exposed, it may reveal the pattern.
Regardless of how a unique password is chosen, it is critical that every password is unique. Some companies, such as Facebook, have begun programs to identify password reuse.
Details on choosing a strong, complex password are available in the MS-ISAC Security Primer available at: http://msisac.cisecurity.org/documents/SecuringLoginCredentials.cfm.
- Passwords should have at least ten characters and include uppercase and lowercase letters, numbers, and symbols. Many companies recommend 14 characters.
- Use different passwords for each account you access.
- Do not use words and proper names in passwords, regardless of language, or personal information, such as your name, a family member or pet’s name, an account or social security number, etc.
- Change passwords regularly – at least every 60 days; if you believe your account has been compromised, change passwords immediately. Do not reuse old passwords.
- Do not allow a browser’s password manager to store your passwords; some browsers store and display passwords in clear text and do not implement password protection by default.
- Do not allow websites to automatically log in to an account; many services store this information locally and it can be exploited by attackers to gain access to accounts without a password.
- Do not share your password with anyone and do not respond to emails or phone calls asking for your login credentials. Legitimate businesses will never ask for your login credentials via these methods.
- Always use different passwords for work and personal use. Do not use your work email when signing up for and accessing personal websites.
- Use multi-factor authentication consisting of something you know (password) and something you have (mobile phone, physical key, etc.), if it is offered.