Navigant's Cyber Risk and Information Security PracticeLearn More

Blog

Password Reuse Attacks15 June 2017

By
IT Security, Risk Management

It is common practice for people to use the same password for multiple sites. It is estimated that 73% of online accounts are guarded by duplicated passwords. This is highly convenient for users because nobody wants to remember several passwords. Why would you not just use the same password? Well, employing the same password to guard multiple accounts leaves you vulnerable to password reuse attacks.

Password reuse attacks occur when hackers take advantage of people using the same password for multiple accounts to hack several accounts. Hackers will compromise one password, and that compromised password allows the hacker to gain access to accounts beyond the initial account that was compromised. This is essentially the domino effect; once one account is compromised, all of the accounts that share that password become compromised.

It is surprising how easy it is for hackers to obtain a person’s password. LeakedSource was a very popular website that hackers used as a tool to execute password reuse attacks. LeakedSource was a database of compromised usernames and passwords that users could pay to access. Their database consisted of huge data breaches such as Adobe, Myspace, Twitter, and LinkedIn. It is estimated that LeakedSource’s database contained information about 3 billion compromised accounts. If a hacker wanted to access a person’s account, they would buy a subscription and search for their target’s username and email. If their target’s username and/or email was in their database, the hacker could see the password associated with the submitted username or email. This allowed the hacker to compromise their target’s account, and, if their target used the same password for multiple accounts, several accounts would be compromised. LeakedSource has since been shut-down, but it is likely copy-cat sites will arise. The existence of sites like LeakedSource emphasizes just how important it is to not use the same password for several accounts.

COMPASS best practice tips:

  • Do not use the same password for multiple services or logins.
  • Make sure you create robust and unique passwords for all accounts, especially accounts that contain sensitive personal and financial data.
  • Employ two-factor authentication whenever it is available.
  • Incorporate policies in your organization that prohibit users from reusing passwords.
  • Keep up-to-date on data-breaches. Use a site such as haveibeenpwned.com to check if your email is in a database dump.
  • Use a password management system like KeePass, 1Password, or Lastpass to develop and remember complex passwords for multiple accounts.
  • Refrain from using personal information such as birthdays, addresses, and names in your passwords.

If you have any further questions about password reuse attacks or password policies please, CONTACT US.

Work With Us Learn How