Skip to main content

70% Password Reuse: Password Security Needs a Forced Reset

SpyCloud observed a 70% password reuse rate among users exposed in data breaches in 2021 – but what stands out is the password reuse rate for employees of Fortune 1000 companies: 64%.

Most of us are aware that reusing passwords is a bad habit. According to LastPass’ Psychology of Passwords report, 92% of people said they know they shouldn’t do it. And yet, many of us do it anyway. Why? Because it’s easy – and because loose security protocols keep letting us get away with it.

The problem just keeps ballooning. The average person already has between 70-100 accounts to manage and this number grows by 25% each year. That unwieldiness has left credential security in a pitiful state. People often use passwords that are too easy to guess, making them susceptible to brute force or credential stuffing attacks, or they use the same passwords across multiple accounts, or worse – both.

SpyCloud observed a 70% password reuse rate among users exposed in data breaches in 2021. In addition, our research found 64% password reuse of Fortune 1000 employees are reusing passwords across multiple sites. That doesn’t even account for people reusing the same basic word or phrase and simply adding a new character each time they’re asked to do a reset.

Reused Passwords Fuel Cyberattacks

The use of stolen or compromised credentials, otherwise known as Account Takeover (ATO), has emerged as the #1 attack vector leading to breaches over the last several years. In fact, we now have clear evidence of the pivotal role compromised passwords play in ransomware attacks, most notably the Colonial Pipeline attack.

Password reuse presents significant security risks for organizations, especially when employees bring their bad password hygiene to work. Too often, employees reuse corporate credentials as personal logins and vice versa. When third-party sites are subject to data breaches, reused employee logins give criminals easy paths to corporate data. For example, if an employee uses their work email and password to log onto a social media site, a criminal who breaches that site can easily connect the dots to access that employee’s work account and more.

Naturally, there has been a push to resolve password challenges by removing them altogether and going “passwordless,” but passwords are not the problem. When deployed properly as part of an overall strategy, they’re actually quite effective; even more so when bolstered by additional layers of monitoring and authentication, which users seem more willing to embrace. From a user perspective, passwords might be a nuisance, but we’ve grown very comfortable with them as a fact of modern life.

A New Framework for Credential Security

Ideally, you want to be able to test variations of each exposed employee password to see if they’re recycling compromised passwords with common changes. Taking it a step further, users should be given guardrails for password creation such as a custom dictionary of banned passwords. As we now know, a culprit in the SolarWinds attack was the easy-to-guess password “solarwinds123”. Maintaining a repository of banned passwords unique to your organization will prevent employees from making these errors, such as passwords with variations of your company name.

With credentials being at the forefront of employee identity protection, more organizations are finding value in implementing enhanced password and authentication practices. In the 2022 SpyCloud Ransomware Defense Report, we observed a 65% increase in monitoring for compromised employee credentials and a 71% jump in the number of organizations using multi-factor authentication (MFA).

Fortifying users’ logins with MFA has never been more critical. While some users scoff at additional login steps, MFA could allow organizations to have less strict password policies, like less characters or requiring password changes less frequently. However, recent examples of criminals bypassing MFA to wreak havoc on organizations with ransomware and malware show that MFA isn’t foolproof. While it can be effective, MFA should be used as one component of a strong password security framework.

The challenge for even the most advanced organizations is coming to terms with the fact that user awareness, training and education – including scare tactics – do not always translate into action. In this era of relentless attacks, it’s time to take matters into your own hands. Proactive and continuous monitoring for (and swift remediation of) compromised credentials is critical to getting in front of the password reuse problem before it derails your business.

Download the 2022 Annual Identity Exposure Report for additional insights from the analysis of our recaptured data, including more year-over-year password trends.

Transforming recaptured data to protect your business.