Who out there has been guilty of reusing a password? We’re all guilty of it! Results from a recent Google survey discovered that at least 65% of people reuse passwords on multiple sites, sometimes even all sites. Whilst this may provide convenience and ease of use to access the everyday applications you use; you’re putting yourself and your sensitive data at risk.
Have I Been Compromised?
Crafty attackers utilise tools to find passwords in previous account breaches and can then go on to compromise any number of accounts that you own with that same password. This tactic is known as credential stuffing. This essentially means that if you use the same password for Facebook and your online banking, it may result in a tarnished image and an empty bank account if a threat actor gets ahold of your password. You can check your email accounts against HaveIBeenPwned to verify if your email address(s) have been involved in any known breaches. You can go one step further to see if your password has been used before and even integrate it into your user registration pages via HaveIBeenPwnedPasswords.
Password Manager
This is your safe to all your passwords. It’s much more secure than your sticky notes that contain passwords stuck to your monitor! Best practice would be to take an inventory of all the web applications you log into and change the password on each site. Password managers can generate complicated passwords, and you don’t need to remember them, because that’s the password manager’s job. Bitwarden or 1Password are good options to solve this. At this time of writing, Bitwarden is open source and free for public use.
Multi-Factor Authentication
Alongside a password manager, you’ll also want to enable multifactor authentication (Also known as 2 Factor authentication or 2FA) on all sites and applications that have the capabilities to do so. Enabling 2FA will provide an extra step to prove you are who you say you are. The primary method is something you know (Your password), and the 2nd factor is something you have. This will generally be a mobile device or a physical token.
You’ll need an authenticator app in order to properly use MFA. You can download and install Google Authenticator which is commonly used from your mobile device’s app store. Additionally, some password managers will allow the use of MFA tokens and one time codes so that you can authenticate your web application in one go.
Organisational Impact
Your users are your biggest asset, but also the weakest link in the chain. It only takes one user that has had their credentials compromised by an attacker to cause severe damage to your businesses reputation. Depending on the security measures in place, once the attacker retrieves those credentials, they may be able to perform anything that that user has access to do. Threat actors are becoming more resourceful than ever before, so think twice before implementing the same password for another web application.
Finally, it’s imperative that all organisations have multifactor authentication enabled for:
- VPN connections
- Remote Desktop connectivity applications
- Office365
- Outlook desktop
These measures will help further secure your users and business from malicious attackers.
