12 Steps Is All It Takes
How many passwords to you have to use on a daily basis? For those of you who said anything less than five, you are in the minority.
Credit-checking firm Experian found that for an average of 26 different online accounts, users had only five different passwords. 25–34-year-olds are the most prolific, with no fewer than 40 online accounts per person on average.
40 Online accounts per person. This begs the question, do these people have 40 different passwords for each one of these accounts? I think you’d agree that would be highly doubtful.
Too Many Passwords
Look at it this way..how many different systems and applications do you have to log into on a daily basis just to take care of your life and your job?
Think about the….
- phone and/or tablet password you use to check your personal email, read books, or make purchases on
- home computer that you use to do your personal finances or write your college work papers on
- domain password you use at work that gives you access to networked printers and file shares
- work computer that sits on your desk where you do your daily work
- home banking system provided by your financial institution
- web applications, social media services, and other websites you use either professionally or personally
….you get the picture.
The worst thing about the number of passwords we use on a daily basis is that it’s not going to get any better, in fact it’s only going to get worse. As more and more technologies enter the workplace, and your home, you may soon have to have passwords to access just about everything. Soon you may have to have a password to access the thermostat in your office and the dish washer in your home as more and more technologies become “smart”.
Wasn’t technology supposed to make our lives easier? It seems to be making it worse in many a computer user’s opinion.
While a user having to deal with all of these passwords is a nightmare, it’s worse on the system administration and information security departments in companies around the globe. Yes, administrators and security analysts are obviously worried that people are going to write down their passwords and leave them somewhere that is easy to find (desk drawers, under keyboards, under overhead credenzas, etc.), but today they tend to worry even more that they are are also worried “GASP” reusing them!
That’s right, computer users are using the same password for multiple computers and applications within their personal and work life. From a hacker’s perspective, this is perfect, because now all they need to do is capture one password and then they can reuse it over and over to find other systems and applications that can be broken into with those credentials.
Hackers Don’t Really Check For Password Reuse
Yes, as a matter of fact, they do.
As an example of how well this type of attack works works, take note of the recent breach at Stubhub. Password reuse played a huge role in how successful the breach was.
“Customer accounts were accessed by cyber criminals who had obtained the customers’ valid login and password either through data breaches of other businesses, or through the use of key-loggers and/or other malware on the customers’ PC,” StubHub said in a statement.
Play this scenario out in your mind with your employees. How many of them do you think reuse their passwords on their corporate accounts and web accounts. Even worse, how many do you think reuse passwords used for key internal systems on websites with lax security? Terrified yet? If not, you should be.
When hackers are attacking an organization, password reuse is one of the first things they look for when attempting to compromise a domain or a critical system. Why? Because the hacker knows that if one person is reusing passwords, there is a good possibility that others are as well, even system administrators. With that in mind, all it takes is capturing the right password once, perhaps off of a poorly secured network printer, and it’s game over. That password will be tested against multiple other key systems until the hacker has exhausted all potential points of entry.
We Train All Our Staff
Often, security training programs and corporate policies focus on the complexity of the password (which is a good thing) and also on not sharing the password with anyone (also a good thing).
The problem is the word “anyone”. Different people interpret the word different ways.
Most people don’t usually consider another system or website “anyone”, it’s just another computer system or application. Unfortunately, that is exactly where things break down. In truth, another system or application is truly an “anyone”. If breached, the system or application could share the password with others…others who mean to use it to break into additional accounts and systems.
Word semantics, it will get you every time.
Fixing the Problem When Training Doesn’t
Fixing the problem is not all that difficult. In fact it’s almost like a 12-step program.
The steps below give you a good starting point, regardless of the size of your company, on how you can get your users to understand the dangers associated with password reuse.
- Accept that you have a problem. Your users are sharing passwords between systems and applications.
- Accept that there are greater powers involved in the problem (user apathy, hackers, etc.).
- Make the decision to work with your users to help them understand why sharing passwords with different systems and applications is a bad idea.
- Make an inventory of systems, through security testing, to determine if passwords are being shared between systems within your corporate network.
- Don’t feel alone in the matter. Realize that you are not the only person or company with this problem and that it is a problem that all companies, regardless of size, face.
- Recognize that there will always be risk in your organization and that there is no way to be 100% risk free.
- Establish a program that will work to reduce the risk in your organization by making staff aware of the dangers of sharing passwords between applications and systems.
- Make a list of all key systems that need to be re-passworded to ensure that the password being used on the system is not being used elsewhere.
- Begin fixing the issue. You’ve recognized that the problem exists, so auditors and examiners will expect you to do something about it. Change your training programs, update your policies, engage with your users about the issue.
- Be vigilant. Put controls in place that will alert you when your users are possibly sharing passwords between systems.
- Train and re-train. Train your new employees and re-train your current employees. Remember, people need to be reminded about the danger of sharing passwords between systems and applications more often than you think.
- Recognize that the steps you are taking are putting you are on the path to becoming a more secure organization. However, staying secure is a constant battle and you must be vigilant.
Digital Defense continues to receive industry recognition for our Vulnerability Assessment solutions. A 2018 Frost & Sullivan Vulnerability Management Customer Value Leadership report states,