60% Password Reuse: Password Security Needs a Forced Reset

SpyCloud observed a 60% password reuse rate among users exposed in data breaches in 2020 – but that number is even higher for employees of Fortune 1000 and FTSE 100 companies: 76%.

Most of us are aware that reusing passwords is a bad habit. According to LastPass’ Psychology of Passwords report, 91% of people said they know they shouldn’t do it. And yet, many of us do it anyway. Why? Because it’s easy – and because loose security protocols keep letting us get away with it.

The problem just keeps ballooning. The average person already has between 70-100 accounts to manage and this number grows by 25% each year. That unwieldiness has left credential security in a pitiful state. People often use passwords that are too easy to guess, making them susceptible to brute force or credential stuffing attacks, or they use the same passwords across multiple accounts, or worse – both.

SpyCloud observed a 60% password reuse rate among users exposed in data breaches in 2020. In addition, our research found that over 76% of Fortune 1000 and FTSE 100 employees are reusing passwords across work and personal accounts. That doesn’t even account for people reusing the same basic word or phrase and simply adding a new character each time they’re asked to do a reset.

Reused Passwords Fuel Cyberattacks

The use of stolen or compromised credentials, otherwise known as Account Takeover (ATO), has emerged as the #1 attack vector leading to breaches over the last several years. In fact, we now have clear evidence of the pivotal role compromised passwords played in the recent spate of ransomware attacks, most notably the Colonial Pipeline attack.

Password reuse presents significant security risks for organizations, especially when employees bring their bad password hygiene to work. Too often, employees reuse corporate credentials as personal logins and vice versa. When third-party sites are subject to data breaches, reused employee logins give criminals easy paths to corporate data. For example, if an employee uses their work email and password to log onto a social media site, a criminal who breaches that site can easily connect the dots to access that employee’s work account and more.

Naturally, there has been a denunciation of passwords by some in the security industry as weak and ineffective, but passwords are not the problem. When deployed properly as part of an overall strategy, they’re actually quite effective; even more so when bolstered by additional layers of monitoring and authentication, which users seem more willing to embrace. From a user perspective, passwords might be a nuisance, but we’ve grown very comfortable with them as a fact of modern life.

A New Framework for Credential Security

Ideally, you want to be able to test variations of each exposed employee password to see if they’re recycling compromised passwords with common changes. Taking it a step further, users should be given guardrails for password creation such as a custom dictionary of banned passwords. As we now know, a culprit in the 2020 SolarWinds attack was the easy-to-guess password “solarwinds123”. Maintaining a repository of banned passwords unique to your organization will prevent employees from making these errors, such as passwords with variations of your company name.

Additionally, fortifying users’ logins with multi-factor authentication (MFA) has never been more critical. Colonial Pipeline’s CEO admitted that the VPN system used to infiltrate the company’s network did not have MFA in place. While some users chafe at additional login steps, MFA could allow organizations to have less strict password policies, like less characters or requiring password changes less frequently.

The challenge for even the most advanced organizations is coming to terms with the fact that user awareness, training and education – including scare tactics – do not always translate into action. In this era of relentless attacks, it’s time to take matters into your own hands. Proactive and continuous monitoring for (and swift remediation of) compromised credentials is critical to getting in front of the password reuse problem before it derails your business.

Stop exposures from becoming account breaches.