Chapter 2 | Password Re-Use and Credential Exposure
Even with new technologies abound, we’ve come to rely on passwords as our primary means of managing access to systems, applications and data. In reality, passwords are our first—and in most cases, only—line of defense when it comes to protecting against unauthorized access, misuse and theft.
As simple as it sounds, a strong, complex password that is changed regularly is one of the most important cybersecurity practices—and oftentimes this one simple step is not even taken by employees. Face it, we get lazy when it comes to managing passwords.
“Passwords should be free of personal connections, so a child’s birthdate, hometown, or a pet’s name just isn’t going to be safe enough,” says Jonathan Penn, Director of Strategy at Avast.
In this sense, the name password is a misnomer—it should never be just a single word composed of only letters.
“Passwords should have numbers, special characters and upper and lowercase letters,” adds Penn. “Even better, employ password managers that will generate unique, strong passwords for you.”
Password managers can address another challenge faced by users trying to remember hundreds or even thousands of passwords: password reuse. With the plethora of devices we use day in and day out at home and at work, employees have a hard time separating the two environments. They check both personal and professional email on their personal smartphones and they log into Facebook, Instagram and other social sites while at work. Keeping the passwords straight across all these accounts can be daunting—and in some cases, seemingly impossible.
Hello password reuse.
“We hear about password reuse all the time,” says Christopher Budd, Senior Threat Communications Manager at Palo Alto Networks. “But one way people reuse passwords is to use the same password for their personal and business accounts. Because of this behavior, this means that businesses can face credential theft risks when their employees’ usernames and passwords are stolen from non-business sites.”
“When a seemingly irrelevant password is exposed in a data breach, attackers are aware that many people reuse those same passwords at work and can then infiltrate your work accounts and access employee portals,” says Joe Siegrist, VP of LastPass.
It seems that remote access to externally facing systems is the compromise of choice and this risk can be dangerously significant.
“Similar to what we saw with Shamoon 2, attackers have used stolen remote access credentials as the front door for major attacks,” says Budd. “Recent research performed by our team discusses the central role of credential theft and how that can enable attacks.”
It’s important to note that these attacks don’t just happen by chance. While fairly simple in technique and seemingly random on the surface, they are actually very calculated and anything but random.
“As we’ve seen over and over again in the news, many big brands, such as LinkedIn and Yahoo, have recently suffered data leaks and security incidents,” adds Siegrist. “Unfortunately, with large data leaks like these, millions of usernames and passwords are now out there for anyone to abuse.”
But if you think that one single person is going to steal and use these stolen credentials themselves while making a few bucks in the process, you’d better think again.
“We’ve seen cases where exposed passwords and login credentials are stolen in a data breach and then sold on the black market,” says Siegrist. “And the easiest way for attackers to make use of those credentials is to systematically try to log in to other websites with the same username and password combinations.”
There are two examples of such cases: 68 Million Exposed in Old Dropbox Hack and Hackers Count on Password Reuse in Amazon Third-Party Seller Campaign.
In addition to the credentials being acquired and used on as many websites as possible, unfortunately, the compromise doesn’t start and stop with one user and one system at the company.
“Most organizations have enabled single sign-on for convenience,” adds Budd. With this technology employed, “a single compromise can impact all business processes and information associated with the user’s credentials.”
A Live Panel Discussion During Black Hat USA 2017
Want to learn more about the human element of cybersecurity? Join us live what should prove to be a very engaging conversation.
What can organizations do to protect their systems and data from compromise due to users reusing passwords across multiple accounts both personal and business? Here are some tips from the experts:
“A key step to preventing the realization of these personal risks on your network is to be aware of them and take steps to mitigate,” recommends Budd.
“Using unique passwords for all your online accounts ensures that if they’re leaked in a breach, they can’t be used by hackers to get into any of your other accounts,” adds Siegrist. “If you’re not doing this, you’re doing it wrong.”
Budd notes that “there are new technological solutions that can monitor for, and prohibit the reuse of, company passwords on non-company sites.”
Siegrist continues by saying that “risks can be mitigated by using a password manager to create unique passwords for each account.”
“Corporate policies that require two-factor/multi-factor authentication and/or one-time passwords, for example, can mitigate this risk,” says Budd. “In these cases, even if an employee reuses a company password somewhere else, the password doesn’t give full access.”
Considering that a whopping three quarters of cyber attacks on corporate networks are due to something as simple as weak passwords and the solution is a very simple one, there is no excuse not to implement critical password management. Ensure that all employees use a strong, complex password that is changed on a regular basis—for each and every account—and keep personal and business logins separate.
You can’t prevent employees from accessing the Internet at work, but if they’re practicing poor password management they are exposing not just themselves, but the entire organization to cyber attacks. Hackers can take over that one computer from which they can launch either internal attacks or attacks on external targets.