Another day, another data breach. At this point, it almost doesn’t qualify as news! Yet here we are, fresh in the wake of a data breach similar in form to the LinkedIn data dump of May 2016. Of course, I am talking about the recently acknowledged Dropbox dump. As was the case with the LinkedIn breach, the Dropbox dump references over 60 Million accounts that have appeared online recently, due to a breach from way back in 2012. What may be a particular noteworthy addition to this latest breach, however, is the implication that the unauthorized access was granted thanks to password reuse.
It looks like it may be time to go back to the basics.
The Password Problem
Here’s the thing: passwords aren’t going anywhere. At least, they are here to stay for the moment. I’ve talked about the death of the password before, and it always comes back to the same thing: we don’t have anything better. While that may be the case, the password problem still remains.
What it comes down to is the fact that passwords are essential just a gateway to all things that we hold precious. Every iota of data is sitting behind what amounts to a tiny little gate. That’s not to mention multifactor authentication (which I’ll touch on in a moment), but our digital selves are protected solely by what amounts to a little door. As we’ve learned in recent years, doors and gates are easy to breach.
I compare the password problem to the age-old idea of hunting for buried treasure. Our personal, private, and/or corporate data is a treasure to the right thief, and therefore, they will dig through any amount of dirt and much to get at it. Much like the pirates of old, all it takes to find that treasure is the right map. In modern times, our passwords are maps that the right thief can follow with very little effort. Hackers need only find the map, and it will lead them directly to our buried treasure – placed in a chest that generally doesn’t even have another lock.
Why You Should Never Reuse Passwords
As I mentioned before, Multifactor Authentication (MFA) is a modern Band-Aid on the password problem. In fact, MFA can even help combat password reuse as well. However, multifactor is still gaining a foothold with the community at large. Major corporations continue struggling to find a method of securing authentication that users will actually use.
The slow adoption and development cycle of MFA provides intrepid attackers with more than enough time to gather their resources and combat the obstacle before it really becomes a hindrance.
Which brings us back to password reuse.
A Dangerous Practice
Experts all agree, and frequently state, that password reuse is a huge detriment to digital security. Using the same password for multiple accounts increases the likelihood of an important account falling victim to a determined attacker. More often than not, the fault may not even be yours – if a web database containing your password is breached, and you use that same password somewhere else, it’s all over.
That is the case for the most recent Dropbox data breach. Conclusions abound that the fraudulent access to Dropbox user data was due to password reuse. An employee’s password was exposed in the 2012 LinkedIn data breach, and was also used to gain access to Dropbox. The attacker only had to plug in the appropriate username and password combo, with little additional effort.
Therein lies the danger of password reuse: it introduces additional vulnerabilities that are outside of your control. So long as passwords are still the primary gateway to sensitive, and valuable information, it is important to focus on creating strong and UNIQUE passwords for each account.
We’ve talked about it often, and one of my favorite researchers advocates for password strength over much else. Why? Because it is one of the basics that the majority of Internet users continue to get wrong.
Single Sign-On and Password Reuse
One of the many benefits of Single Sign-On is the ability to directly counteract many of the problems with password reuse. By eliminating the need for multiple passwords, users can concentrate on creating a single, secure password that holds up better against attack. From then on, authentication is managed by encrypted tokens which are much more difficult to crack.
With little to no effort, users can improve their authentication security. Would-be thieves no longer have a simple map to our most precious treasures. In the end, it's all about the basics. Think smart, and protect yourself from the dangers of password reuse.