Treating Password Reuse Disease In Three Steps

Treating Password Reuse Disease In Three Steps

The way you manage passwords inside your organization will shape whether you’re highly secure or fall victim to constant attacks. A key part of your vulnerability is password reuse disease. This condition affects companies large and small. If you suffer from it, all your systems and vital data may be subject to attack. To combat the disease, let’s first define the condition and its causes.

What’s Password Reuse Disease?

Whenever an employee uses one password more than once, you have the illness. Like any illness, some people have the condition worse than others do. The worst form of the disease is reusing passwords from personal, non-work accounts at the office. Enterprising hackers are skilled at exploiting this particular strain of the disease to good effect.

Here’s just one example of how password reuse hurt Dropbox, a popular file storage company, in 2016. As reported by TechCrunch, a technology news website, password reuse reared its ugly head in the following way:

“Hackers used an employee’s password, re-used from the LinkedIn breach, to access Dropbox’s corporate network and steal the user credentials, sources said. So, the fault doesn’t 100% rest on Dropbox, though it’s still a breakdown of security standards within the company and emphasizes the perils of password reuse that can extend into a corporate environment. Dropbox has taken steps to ensure that its employees don’t reuse passwords on their corporate accounts.”

This disease is challenging to stop because key variables are outside of your control. You cannot control whether there’s a LinkedIn breach. You can raise awareness with your employees about the dangers of password reuse, however. Before you write off password reuse disease as being limited to Dropbox, take note of the following findings from the Pew Research Center about American password behavior:

  •   39% say that they use the same (or very similar) passwords for many of their online accounts.
  •   25% admit that they often use passwords that are less secure than they’d like because simpler passwords are easier to remember than more complex ones.

Based on the above data, it appears that password reuse likely impacts millions of users. It deserves a place on your priority list. Before we attempt to solve the problem, we need to understand what’s driving the condition.

What Are the Primary Causes of Password Reuse?

You need to know about two primary causes of password reuse disease. First, many people are overwhelmed by the sheer volume of passwords they have to manage. As a consequence, it’s only natural your employees take shortcuts to make their lives easier by using the same password repeatedly. If you could cut 10 minutes from your daily commute, would you take the option? The same instinct is at play when it comes to password reuse behavior. Recognizing the tendency most people have to seek efficiencies and minimize effort matters if you want to cure password reuse disease.

The second cause of password reuse disease lies in the rules, regulations, and systems that companies impose on their employees. For instance, you may have a decentralized approach to password management, meaning each division sets its own rules for passwords. As a result, employees continuously have to keep up with different requirements. Conflicting requirements make it tough for employees to keep up. Furthermore, if your organization has yet to suffer a hacking incident, employees may not recognize the threat represented by weak passwords.

The Three-phase Plan to Treat the Condition

Curing password reuse disease may be your goal, but it may not be achievable. After all, you cannot control whether employees are disciplined about following good password rules outside of work. Despite that reality, there are a few moves you can take to treat password reuse disease and reduce your risk of exposure.

  1. Revisit your password management policy and supporting policies

Prevention is the best way to avoid falling victim to password reuse disease. For the best results, we recommend an enterprise password management policy to reduce inconsistencies. The policy will state how passwords protect the organization, and offer guidance on how to use passwords. If you already have a password policy in place, make sure it directly addresses the password reuse problem.

Resource: Curious to see what a password management policy looks like “in the wild”? Read Wright State University’s Password Management Policy. Note that the university requires password resets and provides users an option to use multi-factor authentication.

  1. Improve your employees’ password management training program

There’s an old saying in cybersecurity: If you can’t hack a system, you need to hack a person instead. When employees reuse passwords because they don’t know any better, the organization’s assets are put at risk. To help your organization improve, read our article: How to Deliver Password Management Training to Your Employees This Week. Encourage questions and discussion on password best practices and what to avoid (e.g., using dictionary words in passwords).

For password management training to work, it requires a holistic training approach for support. For example, do you have measures in place to address “social engineering” attacks? These are situations where hackers and impostors claim to be an executive, a security consultant, or a maintenance contractor. When such people obtain access through those means, it’s difficult to stop them. You can limit the damage to your organization by reducing access automatically. How? We cover that next.

  1. Reduce password security breaches by adopting password management systems

Asking every manager to review access and passwords manually is a tall order. Yet, you know that a systematic process is necessary to keep passwords tightly controlled. For the best results, use two of Avatier’s solutions. First, simplify the complexity of passwords for your employees by using Single Sign-On. Next, you need to make sure that audit matters and password administration is followed.

You might be asking yourself: How do I know if SSO (single sign-on) is right for my organization? That’s a good question. To guide you through that challenge, read How to Find Out if SSO Software Is Worth It for Your Company.

Written by Nelson Cicchitto