How secure is your password?
Everyone has a favorite. Savvy people, of course, know better than to use something that can be easily guessed, like 12345 or ‘Password.’ But, once you latch on to a password you really like and is easy to remember, you use it again on a site you might not visit too often but want to make sure you remember. That one site becomes two, then three, and suddenly it is your default password for a lot of things.
Your attempt at password security has failed. In the business world, this problem can cascade into trouble for overall business password management.
Poor password security has plagued the business world for as long as there have been more than one password to remember. However, the mix of remote work and the increase of e-commerce and online transactions add new levels of risk. One study found that one in four people are re-using work passwords for personal transactions, from dating apps to food delivery services.
“Having a different password on each system has long been the suggested solution by security experts. In practice, this has been very difficult for users to manage. There’s just too much friction and mental overhead to remember passwords for dozens or hundreds of websites,” says Alan Krassowski, vice president of technology at Acceptto.
Why Recycling Passwords Hurts Businesses
Every time an employee recycles a business password for their consumer needs, it opens the door for a potential data breach or cyber incident for the company. It’s simple math, really. The more the password is used, the more likely it is going to be compromised at some point. One thing we’ve learned about data breaches is usernames or emails and passwords are often stored without encryption. If someone is using their work email and work password to do some online shopping, a data breach can give a cyber criminal the key to whatever sensitive data that user has access to at work. From there, they could get into the entire network.
When you recycle any password, you might as well accept that you’ll be a victim of cyber crime, warned Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic.
“If you continue to reuse old passwords it is like leaving your front door open and inviting cyber criminals into your home,” he says.
Or, in this case, into the workplace.
Business Password Management Needs Improvement
It’s easy to blame the employee for recycling passwords from work to consumer use, but employers are also at fault for not doing enough to improve their overall business password management systems. According to the report mentioned above:
• One-quarter of businesses surveyed don’t require workers to change passwords often.
• A little more than a quarter say they don’t require remote workers to have company-specific security software running on their devices when they are accessing sensitive work files.
• And nearly one-third don’t require any type of secure access tools, such as VPN, when connecting to the network.
This lack of password management and best password security practices puts the group at a higher risk for credential stuffing.
“The FBI issued a warning about an increase in credential stuffing attacks in September 2020, and yet consumers are still using work emails and passwords to log in to consumer apps and websites, putting the enterprise at significant risk of a credential stuffing attack,” Phil Richards, chief security officer at Ivanti, says in a formal statement.
How Do You Stop a Problem Like Password Recycling?
In a perfect world, no one would recycle their passwords. Everyone would use a strong and unique password for everything. They’d also use password managers or some personal system to make sure they’ll never forget those dozens of passwords. Lastly, they’d regularly change passwords to stay a step ahead of the cyber criminals.
We do not live in a perfect world, however. The threats surrounding password reuse will continue. IT and security decision-makers need to step in to address the problem.
Boosting Business Password Management: Go Passwordless
One option is to completely remove the need for passwords at all. Passwordless options use a token or another method like a smartphone or biometrics already tied to the user. This option helps to lessen the risk of credential stuffing because it requires the user to prove who they are.
A second option is increasing the steps required for authentication.
“Passwords can be augmented with multifactor authentication (MFA),” says Krassowski, who also warns that threat actors have improved in cracking MFA codes. “MFA provides a layered defense against attackers getting into a computing device, database or network by using two or more unique factors to verify your identity.”
Ivanti’s Richards advocates for a zero trust model.
“Companies across all industries must implement a zero trust model to ensure that entities accessing corporate information, applications or networks are valid and not using stolen credentials,” he says in a statement.
With zero trust, the risk of compromised passwords and usernames decreases because users are verified.
“In addition,” according to the report, “as remote work persists and devices continue to proliferate, zero trust security can make it much easier to enforce acceptable use policies, including the use of multifactor authentication, device protections and secure network connectivity.”
The Human Element of Business Password Management
But until companies can put systems in place that improve cybersecurity with a strong password or other credential management system, they should make sure to educate their employees.
“Password hygiene should always be part of employee training and cyber awareness training,” says Carson. “Organizations must help employees move passwords into the background so they do not have to choose or remember passwords.”
Whatever their choice, organizations need to address the risks of reusing business passwords for personal use. By reducing the threat of poor business password management, you begin to reduce one of the most common causes of many security incidents and data breaches.