Just in February 2019, TurboTax maker Intuit locked several users out of their accounts after discovering that an undisclosed number of accounts were hacked. The method used was a credential stuffing attack, which exploited users who had reused a password on multiple accounts.
Instances like these are very common. Data breaches happen every day – it might be happening this very instant.
Why is password reuse a risky business for enterprise owners?
Not trying to sound hyperbolic here, but your customers’ password methods could mean the difference between saving or losing your business to the dark web.
Passwords are the first (and in some cases, the only) defense mechanism that businesses adopt to protect them from attackers.
But herein lies the problem: As employees or enterprise owners, we have the habit of bringing our bad password practices to work. So, when a seemingly irrelevant password from a data breach is leaked online, attackers can use these to access all of your corporate networks.
This was what happened after the LinkedIn data breach case. Hackers got their hands on a password that an employee was using on LinkedIn to access the corporate network’s Dropbox. This led to the exposure of 60 million Dropbox credentials. One reused password was all it took to take down Dropbox.
The consequences of such a breach? Irreparable damage, financial jeopardy, and insurmountable destruction to a brand’s reputation (to name a few).
When it comes to using recycled passwords and how it threatens your enterprise, here are the most important takeaways:
When your customer reuses an already compromised password: Hackers can easily crack open other accounts.
When employees reuse the same password for business and personal accounts: Hackers can breach your entire business network.
Password security is crucial to businesses and it is high time we act on it. We need to change our mindset and find better ways to manage passwords. Here are a few ways to fix the most common password recycling mistakes.
7 remedies for the password reuse epidemic
1. Change default passwords
Sure, default passwords are easy to remember, but they’re a hacker’s go-to for access into accounts. Replace passwords with passphrases, instead! These are usually more difficult to guess, yet easy to remember. To be extra careful, don’t use publicly common phrases, such as popular memes or movie quotes. Use something that only you will know.
2. Do not store passwords in plain text
If you have been storing your business passwords in a spreadsheet, well, don’t. If you’re caught in the ransomware puddle, and that list is exposed, repercussions will be ugly. Paying a ransom will be the least of your problems. The loss of revenue from downtime and customer churn will also take a bite.
3. Do not use easy-to-recognize keystroke patterns
“Zaq12wsxcde3” may seem like a strong password – until you have a closer look at your keyboard. When the pattern is recognizable, it will put your information at risk. Go for a random series of letters and numbers instead.
4. The obvious! Do not reuse passwords
Do not use the same password for two accounts. While this might seem like too much work, you can always opt for password management tools. This will help you securely keep track of your credentials.
5. Adopt a “my passwords are at risk” mentality
Cracking open a business password can be a goldmine for hackers looking to exploit data on a large scale. Therefore, carry the mentality that a hacker may break into your account at any moment. Treat every account as unique and be sure to seal them with complex passwords.
6. Two-factor authentication is a boon
While using long, complex passwords is a good practice, these are not enough for most purposes. That’s where two-factor authentication comes into play. Adding one more step to your login processes, like a fingerprint or iris scanner, can further protect your business from attack.
7. Get creative
Names of celebrities, sports teams or pets are a big “no”. Crooks can easily harvest such information from your social media profiles. A safe way is to use random words and numbers that won’t mean anything.
What else can you do?
Avoiding password reuse is not a robust security plan. Why not? You simply cannot discipline all of your employees, nor can you assure they’re following good password hygiene outside of work. However, there are three things that you can do:
Introduce a password management policy in your enterprise. If there is already one, revisit it with supporting policies.
Simplify password complexity by using single sign-on.
Conduct holistic password management training programs for employees. Encourage discussions on best practices and what to avoid.
It’s time for enterprises to understand the severity of password reuse and prevent it from becoming a costly affair. The measures mentioned above can go a long way in ensuring a strong first line of defense against hackers.