Credential stuffing: People reuse passwords all the time. Shocker, I know.
Credential stuffing: People reuse passwords all the time. Shocker, I know.

What is perhaps more surprising though is how many realise what a problem this is, and are either powerless to stop it or allow it despite knowing better. 

In BeyondTrust's Annual Privileged Access Management survey, conducted between May and June 2017, 474 IT professionals told us that nearly half of them, 49 percent, reuse passwords across multiple systems. 

Our respondents weren't ignorant to the threats of such behaviour. Nearly three quarters, 73 percent, called the practice a considerable threat, along with password sharing and using default or weak passwords.  Nor were their fears merely academic. A fifth, 20 percent, said that password reuse caused frequent security issues, as did 22 percent of respondents when talking about password sharing.

It's an exhausting problem for security professionals, not just because everyone does it, nor because they know they shouldn't but because it continues to form one of the larger gaping holes in networks everywhere. Password reuse has been the cause, or ill-gotten gain, of headline grabbing, business destroying breaches for as far back as one might care to remember.

Perhaps the best known example might be Dropbox's 2012 breach, which resulted in the theft of credentials for more than 60 million accounts. Dropbox initially blamed the theft of a password, but in 2016, it was revealed that the culprit password had been stolen from the LinkedIn breach earlier that year. One careless employee had reused the same password for their LinkedIn as they had for their corporate Dropbox account.

Sony fell victim to the same problem in 2011 as did Yahoo in 2012 and JP Morgan in 2014. Looking ahead, many more organisations may well yet befall the same fate. A survey from earlier this year, reported that 87 percent of millennials reuse passwords across multiple accounts and 29 percent have shared passwords with two or more people.

The proliferation of this kind of behaviour has meant that no one breach can be taken on its own, but potentially part of a domino chain that leads to others. This applies to your organisation too - was your CEO's personal info stolen in a mega breach? Then it might follow him or her all the way back to the workplace.

Credential stuffing, in which an adversary uses stolen account credentials from one source and then sees if they work anywhere else through often automated login requests, now gives cyber-criminals great resources to draw on. One study reported that 3.3 billion credentials were stolen in 2016 and attributed as much as 90 percent of login traffic on some web applications to credential stuffing attacks.

As with so many things in enterprise security, educating your colleagues will be your first line of defence. This applies not just to the rank and file of your organisation, but to your senior executives too, who often hold critical information or may be targeted for Whaling attacks.

To be fair to them, an average person has to deal with dozens of private and corporate accounts, and having them remember a unique password for each, is a big ask. Password reuse may be inevitability but your colleagues still need to know why it's a problem, to know what a secure password looks like and be given strategies to deal with the panoply of passwords. For example, passwords can be remembered merely by writing them down in a securely stored password book.

Organisations can also opt in to technical controls like password managers, which largely take the scope for human error out of the picture. As per the August advice of the National Cyber-Crime Centre, such technical controls can not only herd users towards selecting stronger passwords but actually defend against automated password guessing attacks.

Though security oversights like this are not to be ignored, not least for the great damage they can do to an organisation, we may not have to deal with them that much longer. The much vaunted ‘death of the password' gets pushed ever closer into view with the rise of multi-factor solutions, which require more than a mere alphanumeric sequence to authenticate identity. Google and Apple have both adopted multi-factor approaches into their products and services. Until its bell tolls however, we will all have to make sure that our user's passwords are secure, private and unique.

Author: Brian Chappell, Senior Director, Enterprise & Solution Architecture, BeyondTrust.


*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.