Risk of re-use: Password Security

This week is an ideal time to provide some insight and context for those who re-use the same password across multiple websites and services. We’ve touched on this topic previously, but a more thorough explanation may help you re-evaluate your existing password security.

The risk with re-using passwords isn’t limited to the strength of the password itself, or how you protect it, but instead the services you use these across. To demonstrate this, we will create a simple scenario.

Frank uses a range of online services, but registers to these with a small selection of passwords, the most common of which is “Lanj3981mbd!”, which he uses to protect his email account too. While this password is strong in practice, Frank is relying on the security of the services he uses to safeguard this.

Unfortunately, a small business Frank registers to for weekly digests has suffered a data breach, and Frank’s credentials were leaked during this. Shortly after, Frank begins noticing suspicious activity on his email account. An attacker used the leaked credentials to gain access to his email account, and begins to reset passwords for other services, even those that did not share the same credentials to login.

This process can take a long time to untie, and the repercussions are persistent. From continually resetting passwords, to locking Frank out of his accounts, it becomes increasingly difficult to keep on top of which accounts have been targeted.

This scenario stems from password security reuse, which all link to the email account used by the victim. To protect yourself, our primary recommendation is to use a password manager if possible, allowing you to use unique passwords without remembering them. Secondly, enable Two-Factor Authentication on every account that offers this functionality. Without this, attackers can’t access your account even with your password.