Passwords have been used from time immemorial to gain access or identify people. In the modern world they define how digital resources are used and accessed.
A password will allow you to log into a website, to enter a building or to access a company network. The underlying factor is your ability to remember your username and the password assigned to you.
When creating a username and associated password, the rule of thumb is that you need to choose something that is only known to you and is easy to remember. It is mere common sense that if you chose a password that you won’t be able to remember, you will be denied access to the web resource or locked out of the building.
Since every time you need access, the login credentials must be supplied, the “easy to remember” part leads you to choose a simple, short and easy to guess password.
The Danger With Simple, Short and Easy to Remember Passwords
When a password is short and simple such as “123456” or “abcde,” it becomes a tradeoff between convenience and security. This makes it simple for someone to guess your password and gain easy entry into your account. A password-cracking software will also take a short while to find the combination of your password.
Easy to remember passwords could be dates of birth, pet names, your hometown, parent’s names, nicknames and many others which can be found when people look up your profile online.
Why Do People Reuse Passwords?
Password reuse is the habit of having the same password(s) for multiple accounts which may be domiciled on different websites.
The widespread use of the internet and the myriad of devices in our hands – smartphones, tablets, PCs, routers, servers and many others, demand controlled access to certain resources to protect them from misuse, theft or outright malice.
To maintain the security of these resources, passwords are an integral part of securing them and controlling access.
The growth of these digital resources means that the points of entry have increased with each unique resource and with it the number of passwords. While the initial challenge was to come up with a password that is simple and easy to remember, the need to login into different resources has brought a need to have different passwords for each one.
Well, if all the passwords are simple, creating dozens of them and being able to remember all of them is another challenge. So what is the easiest way to ensure the password for each resource can be remembered? For most people it is simply to reuse the same, simple password on multiple sites.
How Many People Reuse Passwords?
According to a survey by Keeper, 87% of respondents aged 18-30 and 81% of respondents aged 31 and up said that they reuse their passwords. Although a majority of people appreciate the fact that having a weak password is a risk, even when they change to a complex password they still use it on multiple platforms with a sense of security in the strength of the password.
Another survey conducted by Google in partnership with Harris Poll was more telling. The survey, which sampled 3,000 U.S. adults aged between 16 and 50, was conducted in December, 2018 and shows the beliefs and behaviors of respondents regarding online security.
The results indicate that 52% of respondents reuse the same password for multiple (but not all) accounts while 13% reuse the same password on all their accounts. These numbers speak loudly at the prevalence of reusing passwords across platforms.
In yet another survey from the Department of Computer Science at Virginia Tech titled “The Next Domino To Fall: Empirical Analysis of User Passwords across Online Services,” it was found that 52% of the respondents reuse or modify passwords regularly. This was established to be common across different populations.
What is clear from these research findings is that password reuse is rampant among users of online services.
This is quite alarming considering the risks involved in this kind of behavior as we shall see below.
What Is The Risk Of Reusing Passwords?
Using the same password across multiple sites is rife with a lot of risk. When a password is stolen, it can be used to steal your identity, confidential data, money or to maliciously corrupt data. A hacker could also deny you access by demanding ransom.
If you tend to modify your password just slightly, then you become so predictable that the hacker will have little difficulty cracking your credentials.
Risk 1: Credential stuffing
When a breach exposes your login credentials, an attacker can use the leaked or stolen details to break into another account that uses the same information.
In some cases, when credentials are exposed and they were not stored in a secure version (advanced salted-hash functions), it doesn’t matter if you are using a passphrase or complex password, reusing the same one on multiple platforms puts you at greater risk of compromising several accounts.
Credential stuffing is a threat that is a direct result of password reuse. We have seen from the survey mentioned above that a lot of people reuse the same username and password across multiple sites.
When attackers steal or come across a credential dump, they quickly launch an attack where they try to “stuff” those credentials into any login page of other services. It may seem like a guessing game but hackers have been able to use one credential to access multiple accounts and cause untold damage.
Passwords need to be changed regularly but since most people seldom do it, some old credential dumps still pay dividends when hackers use them on multiple sites. This is possible since the process is automated. The tools, which are available on the dark web, basically use millions of credential pairs on hundreds of sites to find out which ones work.
The best way to defeat credential stuffing is to keep changing your passwords, make them as unique as possible for each account, and use two-factor authentication whenever it is available.
Risk 2: Brute force attacks
Brute force attacks involve repetitive attempts to break into a site by trying different password combinations until one succeeds. This attack tries various combinations of usernames and passwords, again and again, by utilizing permutations.
Most websites require users to create passwords that are not less than eight characters long. They are also required to make combinations of letters, symbols and numbers. To be able to crack an eight-character password that is case-sensitive, one may need to make millions of combinations and try each one individually. This would take forever.
Hackers have devised clever methods of using computer bots to generate millions of password combinations and bombard websites until they gain entry. This is why it is called brute force entry.
How to deal with brute force attacks
Increase your password Length
As mentioned above most websites require a minimum of eight characters for passwords. You can make your password longer to curtail the success of brute force attacks.
Make your password complex
Your password may be long but easy to remember like “Iloveyou123456789.” This makes it easy for someone to guess and gain access to your account. It is important to combine letters, numbers and symbols or special characters in complex combinations to create your passwords.
Include uppercase and lowercase letters to create a password that is difficult to crack. This may work to your advantage by making the cracking process complicated and long.
Use Two-factor Authentication
Two-factor authentication works by adding another step in the login process after inputting the password. This adds another layer of security requiring a code or token that makes brute force attacks unlikely to succeed.
Change your passwords frequently
Changing your passwords on a regular basis is a good practice that may prevent you from falling victim to some of these random attacks.
Avoid sharing your credentials
Do not share your credentials with other people. If it is necessary, then only share through secure channels.
Risk 3: Password spraying
As we have mentioned, creating complex passwords is no guarantee that attackers won’t gain access to your accounts. The strong passwords are harder to break for attackers yet difficult to remember, which leads many users to resort to simple, easy to remember passwords and reusing them on multiple accounts.
Hackers on the other hand have devised methods that take advantage of the most commonly used passwords.
Password spraying is an attack where a common password is used to brute force a large numbers of accounts. For example easy to guess passwords such as “summer2019” or “passwordabc” are probably being used by a good number of people. The attacker will therefore try to gain access by testing out a few of commonly used passwords on a large number of accounts.
Within such a large sample of users, there’s probability of at least several using a common password. By sheer luck, this method has enabled attackers to gain access to multiple accounts with a lot of ease. It is a preferred method because it allows them to target a large number of accounts without running the risk of getting locked out (most sites implement locking of an account after a certain number of attempts have been made – say five failed login attempts.
Password spraying is usually used to uncover weak passwords rather than being target- specific on users. Yes, it is a game of guessing but it yields results for hackers.
How to deal with Password spraying
Password spraying takes advantage of the widespread use of easy to remember words, letters or passphrases as passwords. The common use of such passwords makes it easy to target multiple accounts at once. The best defense against such attacks is to create complex passwords that are not common.
Risk 4: Phishing attacks
In the Google / Harris poll mentioned above about 60% of users could correctly define phishing. About 40% of respondents were unable to define phishing which puts doubt on their ability to thwart these kind of attacks, although it was also observed that there is a gap of 33% between understanding and action.
Phishing attacks are common as ways malicious people use to obtain your credentials by sending you communication and pretending to be your trusted service provider. Credentials such as credit card details, usernames, dates of birth, nicknames and passwords can be obtained.
The communication is mostly an email or instant message sent to you with instructions to enter your credentials at a fake site which is identical to the legitimate site (could be your email provider, bank, online payment processor, work intranet, social media site, online retailer, etc).
The email or message may for example indicate that your password has expired and you need to create a new one. You may also be told that your credentials were stolen through a suspicious login or that you need to update your information. You will then be provided with a link to a spoofed page to enter your credentials and other private information.
This kind of impersonation can lead to theft of your credentials. If the same credentials have been used across other accounts, the exposure can be tremendous and the damage devastating.
How to avoid phishing attacks
As we have seen these attacks ride on impersonation. To safeguard yourself against such attacks you need to follow a few guidelines.
- Confirm the url of the website you are visiting to ensure it is legitimate by entering the the address manually into your browser, or hover your mouse pointer over the link to see if it’s legitimate.
- Only conduct sensitive activities such as financial transactions on safe urls by ensuring that the address starts with “HTTPS” instead of “HTTP (which is vulnerable to attacks for lacking the “S” for secure).
- Do not open emails from unfamiliar senders.
- Use two-factor authentication where available.
- Use a password manager. This tool only enters your credentials into the legitimate login page as saved in the program. It is difficult to fool the password manager into entering your details on a phishing site.
- Avoid clicking on links within an email unless you are sure where they lead to.
- Check the digital certificate of the website to ensure it is valid and issued by a reputable organization.
- Be alert for emails or messages that contain grammar mistakes and spelling errors – that should be a red flag that something is amiss. Some of them will also use generic salutations and create a sense of urgency like “act now or you will lose your account.”
- Use anti-malware software to protect yourself against phishing. This kind of program sniffs out malicious links or attachments before you click or open them and share your sensitive information with fraudsters.
- Ensure your anti-virus software is activated with automatic updating and any security upgrades are effected.
Technology keeps evolving by the minute and new threats are on the rise. Phishing is no exception with new phishing techniques emerging that you need to look out for.
Risk 5: Use of wifi hotspots
Public wifi hotspots are a convenient way to connect to the internet while on the move. These networks are available in most public spaces such as airports, hotels, coffee shops or even banking halls.
The availability of wifi hotspots has made them popular among users since most of them are free. The sheer number of people connecting to these networks makes them attractive to hackers.
The main risk for users is that most public wifi networks have very weak security protocols and hackers can easily exploit any vulnerabilities and gain access to the network. After gaining entry, they can launch attacks on unsuspecting users.
A hacker in control of the wifi network you are using can easily intercept your communication and steal credentials and other private information.
In some instances hackers can create a fake network that mimics your favorite public hotspot and effectively trick you to connect to it. After you connect to the fake network, which is fully controlled by the hacker, all your communication is intercepted and your data compromised
How to stay safe on wifi networks
Use a VPN
A VPN or virtual private network is a service that allows you to encrypt the data you send and receive on your device to prevent hackers or anyone else from seeing or intercepting the information.
Once installed on your device it changes your IP address and tricks your device and the rest of the internet to believe that it’s in another location. This is done by the Virtual Private Network provider’s servers which replace your device’s initial IP address with a different one that will show you are in any of the gateway cities in the VPN’s network.
Every time you use the VPN service, it changes your IP address and encrypts your data making it difficult for anyone to monitor your activities. This is useful if you are on a public Wi-Fi which is insecure and can expose you to hackers.
Using a VPN service protects you from intrusions which can lead to loss of sensitive data such as passwords, financial information and emails.
You can use a free VPN service such as the one built in the Opera browser. To utilize it click on Settings > Advanced > Privacy and Security > VPN and toggle the “Enable VPN” slider to activate the inbuilt VPN service.
Popular paid VPN services include ExpressVPN, NordVPN, CyberghostVPN, PureVPN, PrivateInternetAccess and many others.
Connect to a trusted, secure wifi network
Only use secure networks that you trust whenever possible. This ensures that your data is safe as it traverses the network. Stick to your private home network or ensure the network you are using is secure.
- You may also avoid public wifi and instead use your mobile data connection. If you are travelling, your mobile phone’s internet connection is more safer that a public wifi network. If you are using a laptop you may tether to your mobile device’s LTE connection by creating a personal hotspot. Remember to secure the personal hotspot with a strong password to make it hard for hackers to crack.
Use a proxy server
You can also make use of proxy servers to prevent theft of your credentials and other sensitive information. These servers work with your web browser to hide your IP address by routing your traffic through other servers run by volunteers around the world.
The proxy server acts as an intermediary for requests from you, effectively doing it on your behalf and enabling you to hide your identity and protect your passwords and other data.
Remedies to Password Reuse
Reusing passwords seems inevitable, according to the survey findings we saw earlier. You can protect yourself if indeed you must re-use your passwords by adding extra security measures. These include:
Two-factor Authentication (2FA)
Two-factor authentication is an additional security layer that can mitigate some of the weaknesses of a password. As we have seen, a typical standard password-only approach has inherent vulnerabilities that need to be addressed.
Since passwords can be breached remotely, two-factor authentication brings in the dimension of physical presence. It supplements the username and password with “something you know (a password), something you are (biometrics such as fingerprints or face) and something you have (cell phone which receives the code).
This is accomplished by the system generating a passcode (which can only be used once) every time you want to log in and delivering it via SMS, email or an app on your phone. This method is deemed quick, cost effective and secure.
The app used to generate a code on your cellphone is called an “authenticator.” After installing the app on your phone you link it to your accounts to enable it generate unique codes for each account. It generates different sets on a need basis and can be used conveniently even when offline.
Common authenticator apps include Google Authenticator, SAASPASS and Authy. Those that support both mobile and desktop platforms ensure that since the app syncs across accounts, a QR code can be scanned on mobile and the access code generated to be used on a PC.
Segmenting your passwords
As mentioned above you can continue to reuse passwords across different accounts provided you take extra steps that ensure the security of your data.
Another way to stay safe is to reserve password reuse for low-value accounts that carry minimal risk. For example the high value accounts such as those for online banking and shopping may need complex passwords to guard against any breach, while other accounts on say, newsletter websites may use the shared password.
Of course this would require considerable time to classify all your accounts and determine which ones are of high value and which ones do not deserve serious attention.
There are some pitfalls to this approach. A low value account to you may not be the same to an attacker. For example, you may reuse your password on a publisher’s website where you read scientific articles and consider this low value. But wait, is it possible that by retrieving your password on this site the attacker will be able to guess other combinations of the same password used elsewhere?
If it is easy to predict your other passwords based on the one stolen, then you become susceptible to a myriad of attacks. Remember the attacker is looking for strategy and a single password may be the key to how your mind works, making the attacker’s job easier.
In this case you are better off falling victim to an attack based on randomness rather than the predictability of using the same password leading to compromised, high value credentials. If that predictability exists, you may have to treat every service as high value and avoid password reuse.
The use of passwords managers is an essential part of password security. The leading password managers come with a variety of features that can improve your overall security online.
An important feature with password managers is the password generator. It basically generates complex passwords using combinations of numbers, symbols and characters to meet the threshold of being strong and unbreakable .
Most of the password managers include two-factor authentication which gives you an extra layer of security.
All your passwords can be kept safely in the manager and all you need to remember is your master password. Some of them include a VPN for anonymous presence on the web.
Most of these tools have a rating feature that determines the strength of your passwords and recommends remedial measures for those that are weak. Some features include updates on current data breaches to alert you so that you can change your credentials on sites that have been compromised.
By creating a single storage location for all your online credentials, the password manager reduces the risk of hackers eavesdropping on you or stealing any information. The auto-fill feature for example, helps to automatically fill online forms with your credentials without you having to manually type in.
Critical steps when using a password manager
- Ensure no passwords have been reused: Good password managers have tools that analyze your entire collection of passwords and flag those that have been used on multiple accounts. This helps you to change those passwords and make them unique to each online service.
- Generate new passwords for each of your accounts: Password managers have password generator tools which enable you to create random passwords for each account.
- Analyse your passwords for strength and change the weak ones:
- Another important feature in password managers is the ability to rate your passwords and isolate the weak ones.
- Change your passwords often:
- It is good practice to regularly change your passwords to beat the bad guys who may have breached one of your accounts before they use the stolen credentials.
- Create unique and complex password every time you sign up online:
- Most password managers will prompt you to create unique credentials for new sites that require signups. Take advantage of this to create different passwords for every site.
- Using long, complex passwords:
- The use of long and complex passwords containing random letters symbols and numbers is the most recommended solution to the problem of weak credentials that lead to accounts being compromised.
A complex password will have the following characteristics:
- It should contain numbers
- It should have a combination of uppercase and lowercase letters
- It should have special characters or symbols
- It should have a minimum of eight characters
- If you can include complex passphrases, the better
The problem with such complex passwords is that most people are unable to memorize them. Add to this the sheer number of accounts that need these passwords, and the frustration leads to password reuse.
Therein lies the problem – you use a simple password or when you have created a complex one, you still reuse it on multiple platforms.
- Set up a recovery email address or phone number:It is important to have a recovery phone number or email set up within your account this helps you get back access into your account when something goes wrong.
- Keep all your software updated:A lot of folks ignore reminders to update software. Every software update may have improved features but more often than not, it includes security patches that are critical in securing your data. Remember, hackers normally exploit security vulnerabilities in programs to infiltrate accounts and systems.
Always update your programs whenever you are prompted or better still, enable automatic updates within every program especially the antivirus software.
Important Note: Some of the solutions for password issues are multi-pronged. You may not be totally secure if you depend on one solution. It is important to take these solutions in combination to strengthen the security of passwords whether they are unique or are being used across multiple platforms.
Dealing With Password Reuse
Password reuse is a behavior that is developed consciously. It is deliberate for most users and early realization of the risks involved can help safeguard online activity.
From the research findings on the use of the same passwords across platforms, it was clear that despite knowledge of the repercussions of such behavior, folks continue doing so. This is attributed to the huge number of login credentials to be
memorized and numerous apps found on multiple devices that all require some form of security gateway. This has led to users becoming overwhelmed and hence seeking the easy way to cope.
It was shown that putting less value on certain accounts may seem like an attractive option but a breach on that account may be the key for a hacker to gain entry into your high value account.
Reusing passwords is an easy path for most people, yet it puts them at higher risk of losing sensitive data which can lead to identity theft, financial loss, damage to reputation, emotional distress and other far-reaching consequences.
All these can be avoided if a few precautions are put in place to ensure online security.
The truth is that you need to quit password reuse. It is not helpful and the risk is not worth the convenience.
Research findings have consistently indicated that most online users do understand the importance of staying secure but haven’t put in place the required measures to create complex and secure passwords.
Most users have resorted to password reuse or modification as an escape route rather than taking the time to develop the right behavior patterns that will give them peace of mind. This practice puts individual user resources and those that belong to companies at great risk.
A security breach on a single account can lead to a domino effect that may compromise numerous other accounts or thousands of entry points in an organization – remember, a hacker requires one entry point into an organization’s network to install malware and perform other malicious activities that may be difficult to detect for a long time.
Damning evidence shows that 62% of people reuse their passwords or slightly modify them on email services. Users should be aware that malicious actors with access to your login credentials can, for example reset them on your banking platform and siphon away funds without your knowledge.
It is even worse for online shopping sites where 85% of people reuse their passwords or slightly modify them. These sites normally retain addresses and credit card details for customer transactions. A breach on such users can have far reaching financial and privacy implications for the vendors and customers alike.
The need for proper password hygiene cannot be overemphasized. Using weak passwords is dangerous. Using recycled passwords is even worse since they could have been compromised ages ago – hackers have made considerable breakthroughs using credential dumps from years back.
Basic precautions include:
- Do no use predictable passwords such as “abcdefg,” “123456789,” “qwerty” or “Iloveyou.”
- Use different passwords for work and for personal services
- When a breach is reported reset all your passwords. Remember not to reuse the old passwords again on any other account.
- Make the task of creating, memorizing, measuring strength and storing passwords simple by using a good password manager. Ensure you have a robust master password for your password manager.
You are essentially putting all your keys in one basket. If this basket were to be breached, a huge pandora’s box would be opened. It is important to take time and create one secure master password – the only one you need to remember.
- Use two-factor authentication to create another layer of security for your accounts. It has been shown that attempts to breach accounts that have have weak or reused passwords have been thwarted using two-factor authentication.
While many online service providers are yet to implement two-factor authentication, it is advisable to utilize it whenever it is available. Use this resource (https://twofactorauth.org/) to check whether a website has activated two-factor authentication.
Other innovative ways to authenticate users are coming up – fingerprints, eye or face recognition and other biometrics are being developed.
You can always be updated of any breaches on some of your email accounts by visiting websites such as Have I been Pwned. The tools on the site help users to identify which emails have been breached.
This gives you a heads up so that you can take remedial measures quickly in case your account has been compromised. Resetting your passwords keeps you a step ahead of malicious actors in possession of your credentials.
Always strive to ensure no passwords are reused on multiple accounts
It is now clear that passwords are still the most widely used method of authentication for users of online resources. Despite the flaws and vulnerabilities we have discussed above, they are not going away any time soon. We must therefore learn how to manage them and make them more secure on their own or in combination with other tools.
Think about all the devices you own, the numerous apps on them, dozens of websites and networks that you interact with on a regular basis. It is overwhelming that all of them require the use of different login credentials.
Well, this is likely to cause “login fatigue.” To keep your head above water, you shouldn’t succumb to this fatigue, but rather, rise up to the occasion and make good use of all the tools we have discussed to protect your credentials and avoid a breach on your privacy and the resulting damage.
Password reuse should never be treated casually and no account should be thought of as “of little value” to a hacker – the moment a behavioral pattern has been profiled, the attacker is in a position to guess his way into your account, and once inside, there are so many things that could possibly go wrong.
Using the same password on multiple accounts increases your risk to data breaches many times over.