The Danger of Reusing the Same Password for Your On-Line Accounts
Summary
Every day, cybercriminals compromise websites and post online lists of usernames, email addresses, and passwords. This leaves users open to follow-on attacks if that user has set up the same password on multiple sites.
Password reuse is when someone reuses the same password on multiple websites or accounts. This is a vulnerability when the password is exposed in coordination with other information that identifies who is using the password, such as first and last names, login names, or email addresses.
How Password Reuse is a Threat
Cybercriminals steal or buy lists of stolen usernames (typically the email address) and passwords from breached sites. Password reuse is a threat because it gives criminals information they can use to identify you, and they may be able to access your accounts on different sites if you use the same password on those sites. This typically happens in the following ways:
- Using the stolen account information from one site, criminals search other common sites you are likely to use and try to login with the same stolen password. They will try personal accounts such as Gmail, Facebook, Twitter, and banking websites. If they can identify those accounts, and you have the same password for those sites, they can login as you and cause all sorts of harm.
- Another variation is where the criminals try to determine where you are employed (easy to find with Facebook and LinkedIn) and attempt to use your stolen password for remote access, such as through a remote email or timecard access.
- The criminal sets up a legitimate-looking website that asks you for an email address, password, and potentially other information to gain access. Once you have been tricked into entering that information, they know who you are and can search for your other accounts where you used the same password.
How to Protect Yourself
Regardless of how you choose a password, it is critically important that every password be unique for each site you visit. Some companies, such as Facebook, have programs to identify password reuse. Facebook’s program to identify password reuse involves monitoring for lists of compromised usernames, emails, and passwords, and attempting to match those to the usernames or email addresses of existing Facebook users. If a match is found, Facebook asks the user to choose a different password. –
Avoiding password reuse can be challenging because of the number of websites and accounts that require passwords, some of which require an updated password every so often. There are two basic ways to both avoid password reuse and to ensure your password meets any recommended password length and complexity requirements.
Use a Password Manager
Password managers are programs that run on a computer, smartphone, or in the cloud, and securely track your passwords for all accounts you have online. Since each site has a unique password, if a site is breached and your password is stolen, that password won’t work anywhere else. You only have to remember one good password – for the password manager itself. Using a password manager is an excellent way of protecting your passwords, as long as the password to access the password manager is sufficiently long, (20 or more characters – use a sentence you will remember instead of a password). Additionally, you should configure the password manager to create a long, random password for each site you must log into. Since you won’t have to remember a password for each site, a 30 or more character random password will make it much harder for an attacker. Here are some recommendations for a trustworthy password manager:
- Lastpass: https://lastpass.com
- Password Safe: https://pwsafe.org
- The Best Password Managers for 2016: pcmag.com/article2/0,2817,2407168,00.asp
Use Multifactor Authentication (MFA)
Multifactor authentication uses two or more different factors (something you know, something you have, something you are) to prove your identity. An example of multifactor authentication would include using a password and a token (such as your smartphone), or using a PIN and a biometric such as your fingerprint. MFA makes it almost impossible for an attacker who’s stolen your password to login as you, particularly if the other factor is something you have or something you are. Two factor authentication (2FA) is a type of multifactor authentication.
Here’s a list of sites that support 2FA:
If your site supports 2FA, be sure to use it. It provides significantly improved security, particularly with sites that have financial or personal information.
Find Out if Your Credentials Have Been Stolen
You can check to see if your email account or other account names have been found on lists of stolen credentials: https://haveibeenpwned.com/
You can also sign up on this site to be notified if your credentials were stolen.
