Close
Enter your
text here

eDiscovery Daily Blog

Home » eDiscoveryDaily » Electronic Discovery » The Password Reuse Problem Has Still Not Gone Away: Cybersecurity Trends

The Password Reuse Problem Has Still Not Gone Away: Cybersecurity Trends

This isn’t a throwback post – that comes tomorrow.  But, it’s worth noting that we covered a story over two years ago where the guy who recommended we change our passwords periodically and require passwords that combine upper case letters, lower case letters, numbers and special characters admitted that was bad advice.  But, people – and systems – still seem to support the old ways.  That’s so 2003!

As discussed in Help Net Security (The password reuse problem is a ticking time bomb, written by Michael Greene), In the first six months of 2019, data breaches exposed 4.1 billion records and, according to the 2018 Verizon Data Breach Incident Report (which we covered here), compromised passwords are responsible for 81% of hacking-related breaches. The latest data from Akamai states that businesses are losing $4m on average each year due to credential stuffing attacks, which are executed by using leaked and exposed passwords and credentials.

The author recommends three key steps that organizations should take to strengthen their defenses:

  1. Prevent the use of weak, similar or old passwords: New passwords should be significantly different from the previous ones and old passwords shouldn’t be re-used. Also, fuzzy-matching is a crucial tool for detecting the use of “bad” password patterns, as it checks for multiple variants of the password (upper-lower-case variants, reversed passwords, etc.).
  2. End mandatory password resets, which don’t improve security: This policy has proven to be ineffective as it does nothing to ensure that the new password is strong and has not already been exposed. For example, changing your password from “Big5tud” to “Big5tud!” isn’t an incremental enough change to protect yourself.  ;o)  The author also notes that Microsoft and NIST guidelines (which we covered in the post two years ago) advise against this approach.
  3. Check credentials continuously: NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis. As the number of compromised credentials expands continuously, checking passwords against a dynamic database rather than a static list is critical.

The other key step (that the author didn’t mention) is to implement two-factor authentication wherever possible and expect it from your applications.  Two-factor authentication is where the application sends you a code (via text or email – the means for sending may vary depending on the platform) once you provide your password that you have to enter to then be able to access the application.  Unless a hacker can also access your email account or see your texts, that second layer of security helps protect against hacking of your account via just your password.  According to this infographic from Symantec, 80 percent of data breaches due to stolen credentials could have been eliminated with the use of two-factor authentication.

We’ve known all of this information for at least a couple of years now, yet organizations continue to move slowly in making changes.  Maybe by 2031?

So, what do you think?  Does your organization require you to change passwords periodically?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

print




WHAT CLIENTS ARE SAYING ABOUT CLOUDNINE

Great value product.

“Offers the major features we were looking for, at a fraction of pricing of other competitors.”

I used CloudNine as part of fraud investigation for email searches.

“…The tag function made it easy to flag the search results. I was impressed with the ease of use for a first-time user. The speed and ease of loading data and being able to review it immediately is a tremendous advantage over other Cloud-based platforms.”

Excellent tool with outstanding support

“CloudNine Review is excellent, it takes the best of the (market leader) review solution and leaves out all of the fiddly bits that make that product excruciating to use. Their upload and processing is automatic, and their pricing structure is the best I’ve seen.”

Great software that is easy to log on, user-friendly, has a great layout, and is easy to navigate.

“…CloudNine is great at searching documents, including tagging, and exporting. Software tailored to our business needs and streamlined the task at hand.

Discovery Production

This software is easy to use and allows us to upload and download documents as they become ready, saving us both time and money.

Stephanie Plake, Assistant to Attorney at Law Office

READY TO SEE THE SOFTWARE IN ACTION?

Request a CloudNine demo and see how easy eDiscovery can be!

REQUEST A DEMO