The Risks of Password Reuse for Businesses

According to the 2021 Verizon Data Breach Investigations Report (DBIR), 61% of the breaches studied involved compromised credentials^[1]2021 Data Breach Investigations Report-https://enterprise.verizon.com/resources/reports/2021/2021-data-breach-investigations-report.pdf. Organizations often rely on a combination of automated and manual security controls to protect data from malicious attacks. But the reuse of usernames and passwords largely defeats the purpose of these controls. With constantly evolving cybersecurity threats, robust password protection is now more critical than ever.

 

Despite an abundance of information on the risks of password reuse, a considerable number of users still recycle the same passwords. Even slightly altered passwords don’t fare any better – the patterns used for modification remain incredibly consistent. In a 2018 study, researchers created an algorithm that was able to crack a significant number of passwords (including 30% of the modified passwords) within just 10 guesses.  This creates an enormous hazard and undermines security protocols for the entire organization.

Risk Mitigation Solutions

 According to a recent report from LastPass, the average business employee needs to keep track of 191 passwords across their workspace. Memorizing that many credentials is unrealistic, and often results in password reuse across multiple accounts. But when this occurs, a single password leak can result in an entire organization being compromised.  It is clear that reliable cybersecurity solutions are needed to solve this problem. These solutions must also account for human limitations and errors, whether accidental or intentional. Thankfully, a variety of tools are available to help organizations secure their digital assets. 

Single Sign-On (SSO) 

SSO is an authentication scheme that allows a user to log in with a single ID and password to several related, yet independent, systems or applications. This has several positive benefits: 

-increased productivity, especially in instances where an SSO portal is used.
-less credentials to remember, which reduces risk by minimizing bad password habits.
-less password resets, which reduces user frustration and help desk costs.   

Password Managers

A recent survey by LogMeIn found that while 91% of users claim to understand the risks of password reuse, 59% admit to doing so anyway.  This illustrates the importance of strong password management solutions. Using password managers is a safe and convenient way to manage passwords for multiple accounts and applications. They operate by generating complex, unique passwords and storing them in a local or cloud-based vault in an encrypted form. Most password managers also offer the functionality of a Master Password that is used to access the vault. This creates a centralized system for all passwords and completely eliminates the need to memorize different values or reuse passwords. To make the most out of the utility, set unique passwords for each account or use the long, random passwords generated by the manager itself. For additional security, a good password manager should have two-factor capabilities. This ensures that your vault remains secure even if the master password is compromised. 

 Multi-Factor Authentication (MFA) 

MFA is an authentication method that requires users to enter two or more distinct credentials to gain access to a digital resource. These credentials (or verification factors) could take the form of knowledge (password, PIN), possession (smart card, token, mobile device), or inherent (fingerprint matching, voice recognition). One of the most popular MFA methods is the One-Time Password (OTP). OTPs are unique 4-to-8-digit codes that are generated each time an authentication attempt is made. This added layer of security significantly reduces the user’s vulnerability to malicious attacks. 

Consider FIDO U2F Devices for 2FA

The FIDO Universal 2nd Factor (U2F) protocol offers a strong alternative to typical methods of 2FA. Login credentials still act as the first authentication factor, but the second factor is a U2F USB or NFC (Near Field Communication) device. Users are required to tap the registered device or press a button on it to access the host application. This ‘keychain’ device model provides strong security and high privacy, coupled with ease of use and cost-efficiency. 

Caveats of Biometrics for 2FA 

The use of biometrics in MFA has some limitations that may apply to certain work environments. The biometric system must limit the False Match Rate (FMR) to 1 in 1000 or less. It should also limit consecutive failed authentication attempts and (ideally) have a protocol for the response. It is also important for the sensor to be integrated with the terminal in a way that prohibits sensor tampering or replacement. Biometric systems should only be used in conjunction with other physical authenticators as it is usually not possible to know how or whether the device was unlocked. 

Security Awareness Training

‌Training end-users to create strong passwords is an essential component of all cybersecurity programs. It is an incredibly effective and economical way to protect your organization’s network and data. Many attacks including phishing and malware rely on the user’s negligence or lack of knowledge to compromise confidential data. Practices like password reuse, writing and storing passwords in easily accessible places, and sharing passwords with coworkers increase the odds of a data breach exponentially. Educating employees on password best practices cuts down on online security costs in the long term. 

Implementing effective password risk mitigation solutions is an important step in improving the security posture of your organization. Contact us today to get started.