Reusing passwords is common, despite years of warnings to end users. It’s a problem that’s difficult for IT teams to get a handle on, especially if people are reusing work passwords at home. This means a breach elsewhere can bring cybersecurity problems to an organization’s doorstep, even if their own Active Directory password policy is a good one that goes above and beyond regulatory advice.
Password reuse is a bigger problem than you may have realized and a difficult one to track. A TechRepublic survey revealed 53% of people admit to using the same password across multiple accounts – which is music to the ears of hackers. Risky user behavior plus relentless effort from cybercriminals is not a good combination. However, it’s also a risk that can be mitigated with the right tools.
Why do people reuse passwords?
Put simply, people like to take the easy option. Even if it goes against hours of security and awareness training (SAT), people would rather remember one password than several. They don’t want the hassle of resetting their password and being locked out, prolonging their work day. And many will assume that because their work password is strong, it’s a good idea to use it for personal devices and applications too. After all, what are the chance they’ll be the unlucky person targeted by hackers?
End users should know better in 2023 – it’s true. But it’s not fair to solely blame employees.
Organizations have increasingly embraced software-as-a-service (SaaS), thanks to its flexibility, ease of scale, and a reduced need for specialist in-house expertise. Since 2021 there’s been an 18% increase in SaaS adoption, with the average organization using 130 SaaS apps. This has led to an average 250-person company managing an estimated 47,750 passwords – leading to a lot of opportunity for compromise.
The vast majority of end users aren’t setting out with the intention of putting their organization at risk. They just have a lot to remember and probably think password reuse is not a big deal. Unfortunately, this is far from the truth.
The hidden risks of password reuse
Verizon estimate 86% of attack initial access is gained through stolen credentials. If the same password is used for many devices and applications, only the weakest link needs compromising. A phishing email, unsecured public network, or malware-infected personal device could all lead to a breached password in an end user’s personal life. If they’ve reused their work password, this initially unrelated cyber incident could cause a chain of events that impact your organization.
One of the biggest risks is attackers getting their hands on a database of passwords from a less secure website or SaaS application. For example, say a hacker gets into an online store and gets their hands on a whole database of passwords. Even if the passwords are hashed, the attacker has all the time in the word to try and crack them, and then figure out who those people are and where they work. If any of those passwords have been reused at work, it’s an easy route into the employee’s organization.
This is why password reuse can be a major thorn in the side for organizations with an otherwise strong password policy. An organization might enforce end users to use longer, strong passwords at work, but there’s nothing stopping people reusing those passwords on personal applications and devices with weak security or on unsecure networks.
How to protect against password reuse
The problem with password reuse is what it leads to – compromised passwords. There a few ways organizations can reduce the risk of handing hackers easy routes into their organizations.
Organizations have been training people for a long time and it hasn’t stopped password reuse. Bitwarden found 68% of internet users manage passwords for over 10 websites – 84% of these people admit to password reuse. There’s value in raising awareness of cybersecurity, but it would be wishful thinking to believe end user training will solve the problem on its own.
Multi-factor authentication (MFA)
It helps, for sure. However, no form of authentication is infallible to determined hackers. MFA can be vulnerable to attacks such as prompt bombing, so it’s still important to secure passwords too.
Get rid of passwords
This might sound like a dream scenario for IT teams, but it’s not always feasible though. In fact, for most organizations, we’re a long way off removing passwords entirely.
Check for compromise passwords
IT teams will always struggle to stop people reusing work passwords outside of work, so it’s key to have a way for checking whether passwords have become compromised. However, solutions such as Azure AD (Entra ID) only check at password resets or changes. This can be too slow – 2023 data from IBM says it takes 204 days to discover a breach and 73 days to contain it. Using solutions that only check for compromise at change or reset is especially risky for organizations with passwords set to never expire.
Continuous scanning for compromised passwords
Specops Password Policy with Breached Password Protection offers automated, ongoing protection for your organization against the constant threat of compromised passwords. It protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks.
Our new continuous scan feature checks all Active Directory passwords against the Breached Password Protection API for compromise once a day. The API is updated daily with newly discovered compromised passwords from our password honeypot system in addition to newly discovered password leaks when they occur. Administrators can review results of the latest continuous scan in the Domain Administration Tools.
Author: Marcus White, Specops cybersecurity specialist