How secure is your password?

Everyone has a favorite. Savvy people, of course, know better than to use something that can be easily guessed, like 12345 or ‘Password.’ But, once you latch on to a password you really like and is easy to remember, you use it again on a site you might not visit too often but want to make sure you remember. That one site becomes two, then three, and suddenly it is your default password for a lot of things.

Your attempt at password security has failed. In the business world, this problem can cascade into trouble for overall business password management.

Poor password security has plagued the business world for as long as there have been more than one password to remember. However, the mix of remote work and the increase of e-commerce and online transactions add new levels of risk. One study found that one in four people are re-using work passwords for personal transactions, from dating apps to food delivery services.

“Having a different password on each system has long been the suggested solution by security experts. In practice, this has been very difficult for users to manage. There’s just too much friction and mental overhead to remember passwords for dozens or hundreds of websites,” says Alan Krassowski, vice president of technology at Acceptto.

Why Recycling Passwords Hurts Businesses

Every time an employee recycles a business password for their consumer needs, it opens the door for a potential data breach or cyber incident for the company. It’s simple math, really. The more the password is used, the more likely it is going to be compromised at some point. One thing we’ve learned about data breaches is usernames or emails and passwords are often stored without encryption. If someone is using their work email and work password to do some online shopping, a data breach can give a cyber criminal the key to whatever sensitive data that user has access to at work. From there, they could get into the entire network.

When you recycle any password, you might as well accept that you’ll be a victim of cyber crime, warned Joseph Carson, chief security scientist and advisory chief information security officer at Thycotic.

“If you continue to reuse old passwords it is like leaving your front door open and inviting cyber criminals into your home,” he says.

Or, in this case, into the workplace.

Business Password Management Needs Improvement

It’s easy to blame the employee for recycling passwords from work to consumer use, but employers are also at fault for not doing enough to improve their overall business password management systems. According to the report mentioned above:

• One-quarter of businesses surveyed don’t require workers to change passwords often.
• A little more than a quarter say they don’t require remote workers to have company-specific security software running on their devices when they are accessing sensitive work files.
• And nearly one-third don’t require any type of secure access tools, such as VPN, when connecting to the network.

This lack of password management and best password security practices puts the group at a higher risk for credential stuffing.

“The FBI issued a warning about an increase in credential stuffing attacks in September 2020, and yet consumers are still using work emails and passwords to log in to consumer apps and websites, putting the enterprise at significant risk of a credential stuffing attack,” Phil Richards, chief security officer at Ivanti, says in a formal statement.

How Do You Stop a Problem Like Password Recycling?

In a perfect world, no one would recycle their passwords. Everyone would use a strong and unique password for everything. They’d also use password managers or some personal system to make sure they’ll never forget those dozens of passwords. Lastly, they’d regularly change passwords to stay a step ahead of the cyber criminals.

We do not live in a perfect world, however. The threats surrounding password reuse will continue. IT and security decision-makers need to step in to address the problem.

Boosting Business Password Management: Go Passwordless

One option is to completely remove the need for passwords at all. Passwordless options use a token or another method like a smartphone or biometrics already tied to the user. This option helps to lessen the risk of credential stuffing because it requires the user to prove who they are.

Multifactor Authentication

A second option is increasing the steps required for authentication.

“Passwords can be augmented with multifactor authentication (MFA),” says Krassowski, who also warns that threat actors have improved in cracking MFA codes. “MFA provides a layered defense against attackers getting into a computing device, database or network by using two or more unique factors to verify your identity.”

Zero Trust

Ivanti’s Richards advocates for a zero trust model.

“Companies across all industries must implement a zero trust model to ensure that entities accessing corporate information, applications or networks are valid and not using stolen credentials,” he says in a statement.

With zero trust, the risk of compromised passwords and usernames decreases because users are verified.

“In addition,” according to the report, “as remote work persists and devices continue to proliferate, zero trust security can make it much easier to enforce acceptable use policies, including the use of multifactor authentication, device protections and secure network connectivity.”

The Human Element of Business Password Management

But until companies can put systems in place that improve cybersecurity with a strong password or other credential management system, they should make sure to educate their employees.

“Password hygiene should always be part of employee training and cyber awareness training,” says Carson. “Organizations must help employees move passwords into the background so they do not have to choose or remember passwords.”

Whatever their choice, organizations need to address the risks of reusing business passwords for personal use. By reducing the threat of poor business password management, you begin to reduce one of the most common causes of many security incidents and data breaches.

More from Zero Trust

Contain Breaches and Gain Visibility With Microsegmentation

Organizations must grapple with challenges from various market forces. Digital transformation, cloud adoption, hybrid work environments and geopolitical and economic challenges all have a part to play. These forces have especially manifested in more significant security threats to expanding IT attack surfaces. Breach containment is essential, and zero trust security principles can be applied to curtail attacks across IT environments, minimizing business disruption proactively. Microsegmentation has emerged as a viable solution through its continuous visualization of workload and device communications…

Why Zero Trust Works When Everything Else Doesn’t

The zero trust security model is proving to be one of the most effective cybersecurity approaches ever conceived. Zero trust — also called zero trust architecture (ZTA), zero trust network architecture (ZTNA) and perimeter-less security — takes a "default deny" security posture. All people and devices must prove explicit permission to use each network resource each time they use that resource. Using microsegmentation and least privileged access principles, zero trust not only prevents breaches but also stymies lateral movement should a breach…

What to Know About the Pentagon’s New Push for Zero Trust

The Pentagon is taking cybersecurity to the next level — and they’re helping organizations of all kinds do the same. Here’s how the U.S. Department of Defense is implementing zero trust and why this matters to all businesses and organizations. But first, let’s review this zero trust business. What is Zero Trust? Zero trust is the most important cybersecurity idea in a generation. But “zero trust” is itself a bit of a misnomer. It’s not about whether a person or…

Effectively Enforce a Least Privilege Strategy

Every security officer wants to minimize their attack surface. One of the best ways to do this is by implementing a least privilege strategy. One report revealed that data breaches from insiders could cost as much as 20% of annual revenue. Also, at least one in three reported data breaches involve an insider. Over 78% of insider data breaches involve unintentional data loss or exposure. Least privilege protocols can help prevent these kinds of blunders. Clearly, proper management of access…