Most of us are aware that reusing passwords is a bad habit. According to LastPass’ Psychology of Passwords report, 92% of people said they know they shouldn’t do it. And yet, many of us do it anyway. Why? Because it’s easy – and because loose security protocols keep letting us get away with it.
The problem just keeps ballooning. The average person already has between 70-100 accounts to manage and this number grows by 25% each year. That unwieldiness has left credential security in a pitiful state. People often use passwords that are too easy to guess, making them susceptible to brute force or credential stuffing attacks, or they use the same passwords across multiple accounts, or worse – both.
SpyCloud observed a 70% password reuse rate among users exposed in data breaches in 2021. In addition, our research found 64% password reuse of Fortune 1000 employees are reusing passwords across multiple sites. That doesn’t even account for people reusing the same basic word or phrase and simply adding a new character each time they’re asked to do a reset.
Reused Passwords Fuel Cyberattacks
The use of stolen or compromised credentials, otherwise known as Account Takeover (ATO), has emerged as the #1 attack vector leading to breaches over the last several years. In fact, we now have clear evidence of the pivotal role compromised passwords play in ransomware attacks, most notably the Colonial Pipeline attack.
Password reuse presents significant security risks for organizations, especially when employees bring their bad password hygiene to work. Too often, employees reuse corporate credentials as personal logins and vice versa. When third-party sites are subject to data breaches, reused employee logins give criminals easy paths to corporate data. For example, if an employee uses their work email and password to log onto a social media site, a criminal who breaches that site can easily connect the dots to access that employee’s work account and more.
Naturally, there has been a push to resolve password challenges by removing them altogether and going “passwordless,” but passwords are not the problem. When deployed properly as part of an overall strategy, they’re actually quite effective; even more so when bolstered by additional layers of monitoring and authentication, which users seem more willing to embrace. From a user perspective, passwords might be a nuisance, but we’ve grown very comfortable with them as a fact of modern life.
How do I check if our employees’ reused passwords are already exposed?
Reuse is what turns a single breach into access across many accounts, and our research shows a 70% password reuse rate among users exposed in breaches, with 64% of Fortune 1000 employees reusing passwords across work and personal accounts. Run Check Your Exposure to see which credentials tied to your domain have already been exposed and recaptured from the criminal underground, so you can find the reused passwords that put corporate accounts at risk.
Check your exposure for free →
A New Framework for Credential Security
Ideally, you want to be able to test variations of each exposed employee password to see if they’re recycling compromised passwords with common changes. Taking it a step further, users should be given guardrails for password creation such as a custom dictionary of banned passwords. As we now know, a culprit in the SolarWinds attack was the easy-to-guess password “solarwinds123”. Maintaining a repository of banned passwords unique to your organization will prevent employees from making these errors, such as passwords with variations of your company name.
With credentials being at the forefront of employee identity protection, more organizations are finding value in implementing enhanced password and authentication practices. In the 2022 SpyCloud Ransomware Defense Report, we observed a 65% increase in monitoring for compromised employee credentials and a 71% jump in the number of organizations using multi-factor authentication (MFA).
Fortifying users’ logins with MFA has never been more critical. While some users scoff at additional login steps, MFA could allow organizations to have less strict password policies, like less characters or requiring password changes less frequently. However, recent examples of criminals bypassing MFA to wreak havoc on organizations with ransomware and malware show that MFA isn’t foolproof. While it can be effective, MFA should be used as one component of a strong password security framework.
The challenge for even the most advanced organizations is coming to terms with the fact that user awareness, training and education – including scare tactics – do not always translate into action. In this era of relentless attacks, it’s time to take matters into your own hands. Proactive and continuous monitoring for (and swift remediation of) compromised credentials is critical to getting in front of the password reuse problem before it derails your business.
A password policy cannot tell you which of your credentials are already exposed. See how
SpyCloud continuously recaptures exposed credentials from the criminal underground and matches them to your workforce, so you can reset the reused passwords putting your organization at risk.
FAQs
Because no policy changes human behavior. Employees reuse work passwords on personal accounts that get breached, and they recycle slight variations that attackers’ tools easily guess. It only takes one reused credential to put the whole organization at risk, and a policy cannot tell you which credentials are already exposed. Seeing the exposed credentials tied to your domain is what closes the gap a policy leaves open.
Because it turns one exposed password into a master key. When someone reuses the same password across multiple sites, a single breach hands attackers a credential they can test against every other account, including corporate ones. Our research shows a 70% reuse rate among users exposed in breaches, and 64% of Fortune 1000 employees reuse passwords across work and personal accounts, so a personal breach routinely becomes a workforce problem.
A policy can require complexity or length, but it cannot change human behavior. People reuse passwords across accounts and recycle slight variations that cracking tools handle easily, and most know it is a bad habit yet do it anyway. It only takes one employee’s reused credential to expose the organization, which is why education and policy need to be paired with visibility into which credentials are actually exposed.
Old exposed passwords stay dangerous as long as they, or close variations, are still in use, and reuse keeps them valid across accounts long after the original breach. Run Check Your Exposure to see which credentials tied to your domain have been recaptured from the criminal underground, so you can identify the exposed and reused passwords still in play and reset them.