Tackling password reuse: how to build a stronger first line of defence for enterprise IT

Opinion by Emmanuel Schalit

The bottom line is that, for all the predictions of their demise, passwords are still with us -- so let's make them easy to use and manage, automatically generating strong and unique credentials for each account.

The dark web is awash with billions of stolen passwords. This is bad news for consumers, with identity fraud hitting new highs in the UK this year. But increasingly it also represents a major corporate security risk.

Why? Because consumers are also employees. Remembering unique, long-and-strong passwords is nigh on impossible, so credential reuse is commonplace — across personal and corporate accounts. That’s a recipe for disaster as the roll-call of breach victims continues to feed the cyber-crime economy with log-ins to try.
Yet despite the obvious threats, passwords show no signs of being usurped any time soon. The bottom line is, we need a better way to manage them more securely — as both employees and consumers.

A vicious circle

Passwords are often described as the cyber-security Achilles heel of modern organisations, and with good reason. With access to a privileged account, hackers could find their way to highly sensitive and lucrative troves of customer data and/or corporate IP. Big-name brands including Uber and US retailer Target are well aware of the dangers of password-based access systems, having been breached to the tune of 57 million and 110 million records after hackers obtained the veritable "keys to the kingdom": passwords granting them crucial network/system access.

The vicious circle continues, however, when corporate breaches like these result in customer passwords entering the dark web-driven underground economy. Huge numbers of user credentials have found their way onto cyber-crime sites after recent breaches at companies like MyHeritage (92 million) and MyFitnessPal (150 million).

Many of these will be reused by customers for their work accounts. In fact, an analysis of a massive 1.4 billion credentials discovered on the dark web last year revealed many government, police and military email addresses and even a spattering of some working for intelligence agencies. Separate research in January found that over one million corporate email addresses linked to the UK’s top law firms, 80 percent of which had associated passwords, were up for sale on the dark web.

Sometimes these passwords are stored in plain text, making the bad guys’ job even easier. If not, they can be easily cracked and then tried en masse by cyber-criminals armed with widely available automated tools. Thus, the vicious circle is complete. Corporates are breached, resulting in huge troves of customer passwords flooding the dark web. They can be then be picked up and theoretically used not only to carry out mass identity fraud against those users but also to target their work accounts as part of another mass info-stealing attack.

The potential financial and reputational implications should be pretty clear to IT security leaders by now. IBM claims data breaches cost the average global organisation £3 million today although these can certainly rise much higher in some cases, and the threat of massive GDPR fines will be a constant going forward.

Time to get proactive

Passwords represent the key to consumers’ digital lives, but can also unlock the cyber-front door to corporate data stores. Unfortunately, organisations, like consumers, are fallible: they tend to invest in security once something bad has already happened. We need to change this mindset to get more proactive about security. The bottom line is that, for all the predictions of their demise, passwords are still with us — so let’s find a more secure way of managing them.

According to Dashlane research, the average US user has an astonishing 150 online accounts requiring a password. I’d imagine the number is not dissimilar for UK netizens. Yet best practice requires strong, complex and unique passwords to maximise security — clearly not practical for this many accounts. Even if you have a ‘system’ to vary your passwords, for example by changing a number each time, automated software can usually see through these attempts to crack the code.

The only way to effectively mitigate risk is by eliminating password reuse completely, using strong credentials and updating them immediately if they do get breached. This will involve a certain amount of employee education from IT teams. But it also requires an investment in tools designed for secure, effective password management.

The best solutions will be easy to use and manage, automatically generating strong and unique credentials for each account so the user doesn’t have to remember them. They may also have advanced features such as: syncing across multiple platforms for anywhere, anytime access; secure sharing of credentials with a user’s "inner circle"; and possibly even two-factor authentication to eliminate the need for passwords altogether.

By the year 2022, we predict that the average user will have to manage 300 online accounts for work and personal use. It’s time organisations got smarter about password security and turned their employees into a formidable first line of defence. Without it, their customers, and countless other organisations, may be at risk.

Contributed by Emmanuel Schalit, CEO, Dashlane.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews