The Password Reuse Problem Has Still Not Gone Away: Cybersecurity Trends
This isn’t a throwback post – that comes tomorrow. But, it’s worth noting that we covered a story over two years ago where the guy who recommended we change our passwords periodically and require passwords that combine upper case letters, lower case letters, numbers and special characters admitted that was bad advice. But, people – and systems – still seem to support the old ways. That’s so 2003!
As discussed in Help Net Security (The password reuse problem is a ticking time bomb, written by Michael Greene), In the first six months of 2019, data breaches exposed 4.1 billion records and, according to the 2018 Verizon Data Breach Incident Report (which we covered here), compromised passwords are responsible for 81% of hacking-related breaches. The latest data from Akamai states that businesses are losing $4m on average each year due to credential stuffing attacks, which are executed by using leaked and exposed passwords and credentials.
The author recommends three key steps that organizations should take to strengthen their defenses:
- Prevent the use of weak, similar or old passwords: New passwords should be significantly different from the previous ones and old passwords shouldn’t be re-used. Also, fuzzy-matching is a crucial tool for detecting the use of “bad” password patterns, as it checks for multiple variants of the password (upper-lower-case variants, reversed passwords, etc.).
- End mandatory password resets, which don’t improve security: This policy has proven to be ineffective as it does nothing to ensure that the new password is strong and has not already been exposed. For example, changing your password from “Big5tud” to “Big5tud!” isn’t an incremental enough change to protect yourself. ;o) The author also notes that Microsoft and NIST guidelines (which we covered in the post two years ago) advise against this approach.
- Check credentials continuously: NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis. As the number of compromised credentials expands continuously, checking passwords against a dynamic database rather than a static list is critical.
The other key step (that the author didn’t mention) is to implement two-factor authentication wherever possible and expect it from your applications. Two-factor authentication is where the application sends you a code (via text or email – the means for sending may vary depending on the platform) once you provide your password that you have to enter to then be able to access the application. Unless a hacker can also access your email account or see your texts, that second layer of security helps protect against hacking of your account via just your password. According to this infographic from Symantec, 80 percent of data breaches due to stolen credentials could have been eliminated with the use of two-factor authentication.
We’ve known all of this information for at least a couple of years now, yet organizations continue to move slowly in making changes. Maybe by 2031?
So, what do you think? Does your organization require you to change passwords periodically? Please share any comments you might have or if you’d like to know more about a particular topic.
Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.
Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.