Password reuse is a difficult vulnerability for IT teams to get full visibility over. The danger is often hidden until it turns up in the form of hackers using compromised credentials as an initial access vector.
A TechRepublic survey revealed 53% of people admit to reusing passwords, which is great news for hackers – they can steal one password and try their luck with several applications.
Verizon estimates that 86% of attacks start with compromised credentials for initial access. There are a few ways an end-user might give up their credentials to an attacker: falling for a phishing email, logging in via an unsecured network, using a device infected with malware, or simply picking a high-probability password that appears in a password list.
An organization might have some internal protection against these scenarios, but they have no visibility over what someone does outside of the network.
Consider a scenario where a hacker breaches a social media site or online store, stealing their database of user credentials. Even if hashed, the hacker can use tools to crack the passwords and figure out who they belong to – and where they work. Other cybercriminals will pay substantial money for that information, as they know there’s a decent chance people reuse their passwords.
This is the chink in the armor of a strong password policy. Even longer, strong passwords can become compromised outside of your organization.
How many people reuse passwords?
It’s hard to tell for certain, but there’s plenty of data. No matter which way it is looked at, the answer appears to be a lot.
A Microsoft study found that 44 million Microsoft users were reusing passwords over a 3-month period, while a more recent LastPass survey estimates 62% of knowledge workers reuse the same password or a close variation.
So why do people do it when organizations invest so much in cybersecurity training? The truth is very few people set out to create risk for their employers – it’s simply human nature.
End-users have more passwords to remember than ever before. The average organization uses 130 SaaS apps and that uptake shows no signs of slowing. Bitwarden estimates 68% of internet users must remember over 10 passwords, with 84% of that number admitting to password reuse.
This offers a lot of opportunities for hackers, although the average person tends to assume they’ll never be the one to be hacked.
Responsibility can’t be solely placed on end-users – organizations need to step up and protect themselves.
If you’re interested in a quick Active Directory health check, you can see how many of your end-users are already using one of over 950 million compromised passwords, check out the free auditing tool: Specops Password Auditor.
Four ways to mitigate the risk of compromised credentials
There is no way to know which users are reusing passwords, but there are ways to reduce the potential impact if a reused password is compromised. We recommend a combination of the following four methods:
1. Multi-factor authentication (MFA)
MFA can definitely help, as it adds another hurdle for attackers to clear after gaining access through a compromised password. However, a determined hacker can find a workaround for any form of authentication. MFA can be vulnerable to prompt bombing attacks, so it’s not a failsafe against reused passwords.
2. Training
Cybersecurity training isn’t new. Organizations have been carrying out security and awareness training for a long time and it clearly hasn’t made a dent in the number of end-users reusing their passwords. There’s still value in raising awareness, but organizations can’t rely on training to permanently change users’ behaviors.
3. Get rid of passwords
Why not ditch the password completely? This might sound like a dream scenario for IT teams, but it’s rarely feasible. For most organizations, removing passwords entirely is a complex task and the best thing to hope for is a reduction in the number of passwords being used and closer attention being paid to privileged accounts.
4. Check for compromised passwords
IT teams can’t control what people do outside work, so it is vital to have a tool for checking whether passwords have become compromised. Azure AD (Entra ID) is a popular option, although it only checks passwords during resets or changes.
This can leave plenty of time for an attacker to act – data from IBM says it takes 204 days to discover a breach and 73 days to contain it on average. Organizations with passwords set to never expire in particular need a way to check in real time.
Automated, ongoing compromised passwords scans
While password auditing tools can offer a snapshot of your Active Directory, Specops Password Policy with Breached Password Protection offers ongoing protection for your organization against the constant threat of compromised passwords.
It protects your end users against the use of more than 4 billion (and growing) unique known compromised passwords, including data from both known leaks and passwords being used in live password attacks.
Interested to know how Specops Password Policy can fit with your organization and help protect you from password reuse? Get in touch to learn more.
Sponsored and written by Specops Software.