What if I told you that 1.5% of publicly leaked passwords were still being used to sign in to Microsoft accounts? It doesn’t sound like much, but it actually equates to 44 million users still using leaked passwords for their Microsoft accounts. This is what the Microsoft research team found when it performed a scan of its user and Azure AD accounts versus the three billion publicly leaked credentials for the first quarter of the year.
We asked some prominent security professionals about the proliferation of password reuse and what other options there are for people to strengthen their security measures:
Stuart Sharp, VP of solution engineering at OneLogin
“Password reuse is a massive problem and this scan only highlights the severity of the situation. Whether knowingly or unknowingly, people are using compromised credentials to access sensitive personal and corporate data, putting organisations and individuals at risk of disastrous attacks from bad actors. Multi-Factor Authentication is no longer just security best practice, but a core necessity to corporate and personal applications alike. Wherever possible, stronger forms of Multi-Factor Authentication should be used, such as WebAuthn with on-device biometrics.”
Gavin Millard, VP Intelligence at Tenable
“Password reuse and single factor authentication is one of the largest cybersecurity issues we face today. Frustratingly no matter how easy password managers make storing and using complex passwords for online services, or the option to add a second authentication mechanism – such as an SMS code sent to a mobile device, adoption is still woefully low.
“As individuals, we need to change our mindset when securing any online account, employing the same level of protection we adopt for securing our financial accounts. This means moving away from not just the reuse of passwords, but also making them stronger, particularly for accounts where we’re sharing sensitive details or personal information, and always use a second factor if available.”
Javvad Malik, security awareness advocate at KnowBe4
“When we look at the sheer number of different services and apps that people use and require signing up for, it is little surprise that people reuse credentials. It’s why it is so important to educate and raise awareness among users as to the dangers of reusing credentials and how it can lead to account takeovers. Once people understand the risks, they can then make informed decisions to better protect themselves though means such as enabling MFA where available, and using a password manager to choose stronger and unique passwords for each site they register for.”
Robert Ramsden-Board, VP EMEA, Securonix
“In today’s cybersecurity landscape, it couldn’t be truer to say that passwords are the weakest link. We need to create several versions of them, make them hard to guess and commit them to memory. Therefore, it comes as no surprise that password reuse is so rampant.
“Two-Factor authentication can help tackle the risk posed by password reuse. However, organisations and users should explore alternatives to the traditional text password, such as, persona-based authentication, which relies on a combination of ‘geographical’ and behavioural elements to determine identity or a trust score system that allows users to sign in and unlock devices through a trust score that is calculated using several behavioural factors such as location, facial recognition and typing pattern. While it’s true passwords aren’t going anywhere soon, there are ways that they can be strengthened to keep users and their data safe and these options should be deployed going into 2020 and beyond.”
Eoin Keary, CEO and cofounder of edgescan:
“Why do people reuse passwords? Because they have way too many to remember. Work passwords, utilities, banking, laptop account logins etc etc. How can an average person remember so many? Furthermore, a regular user does not use a password vault or storage solution, regardless of the recommendations.
“The rub with password reuse across many services is that if one service is breached, the disclosed password is often used in credential stuffing attacks that try to access other services and websites. This type attack is becoming more and more common, and it bets on the widespread habit of users reusing their passwords.
“Solutions such as multi-factor authentication help solve the password reuse issue, as they also require a one-time password at time of login which changes every time.”
Lamar Bailey, senior director of security research at Tripwire
“It’s good practise to ensure individuals have different passwords for different accounts, and these passwords should be passphrases that are not easy to guess. By educating the workforce about the basics of security, like not reusing passwords for numerous accounts or not clicking on malicious emails, links or attachments, will naturally reduce the threat of an attack. People are unfortunately the weak link in the security pyramid with hackers preying on this naivety and this needs to change.
It is now critical that users check for compromised passwords and usernames on a regular basis. Many password vaults like LastPass and Dashlane will do this automatically for you or you can use a service like https://haveibeenpwned.com/