<img alt="" src="https://secure.hook6vein.com/218483.png" style="display:none;">

BIO-key Blog

Read below for news, insights, and discussion on identity and access management.

Quick Tip: The Dangers of Password Reuse

by Christopher Perry

password reuse

Another day, another data breach. As we have experienced, organizations being a victim of data breaches are no longer a matter of "if" but "when". Day after day, more and more organizations are falling victim to cyberattacks, like the recent 2021 attacks on the Colonial Pipeline which affected gas stations all throughout the East Coast into Texas and the JBS Meat Factory cyberattack. These attacks have all lead to President Joe Biden releasing an Executive Order to increase cybersecurity methods, but we have to take a step back, and think about how these organizations became victims. Well, the implication is that the unauthorized access was granted thanks to password reuse.

It is a growing concern these days that many end-users have too many passwords to remember. If you think about how many accounts you use on a daily basis, it quickly adds up. Firstly, your email, then social media accounts, dependent on your department you may have a Kanban board or a collaborative tool with your team, and at the end of the day, streaming services top off your logins. These passwords are too complicated, and there are too many to remember. Often, there are different requirements and credentials for each login, and each is likely to create confusion resulting in lockouts and an increased volume of Help Desk calls. However, a solution to consolidate all of your logins into one strong authentication method is Single Sign-On. With Single Sign-On, users can avoid the dangers that password reuse delivers, and having one login to access all of your accounts means a better user experience. Single Sign-on sounds like an easy solution, and later on, we will bring up how to implement it more into your business.

It looks like it may be time to ditch multiple passwords for a strong one.

The Password Problem

Here’s the thing: passwords aren’t going anywhere. At least, they are here to stay for the moment. I’ve talked about the death of the password before, and it always comes back to the same thing: we don’t have anything better. While that may be the case, the password problem still remains.

What it comes down to is the fact that passwords are essential just a gateway to all things that we hold precious. Every iota of data is sitting behind what amounts to a tiny little gate. That’s not to mention multifactor authentication (which I’ll touch on in a moment), but our digital selves are protected solely by what amounts to a little door. As we’ve learned in recent years, doors and gates are easy to breach.

I compare the password problem to the age-old idea of hunting for buried treasure. Our personal, private, and/or corporate data is a treasure to the right thief, and therefore, they will dig through any amount of dirt and much to get at it. Much like the pirates of old, all it takes to find that treasure is the right map. In modern times, our passwords are maps that the right thief can follow with very little effort. Hackers need only find the map, and it will lead them directly to our buried treasure – placed in a chest that generally doesn’t even have another lock.

Why You Should Never Reuse Passwords

As I mentioned before, Multifactor Authentication (MFA) is a modern Band-Aid on the password problem. In fact, MFA can even help combat password reuse as well. However, multifactor is still gaining a foothold with the community at large. Major corporations continue struggling to find a method of securing authentication that users will actually use.

The slow adoption and development cycle of MFA provides intrepid attackers with more than enough time to gather their resources and combat the obstacle before it really becomes a hindrance.

Which brings us back to password reuse.

A Dangerous Practice

Experts all agree, and frequently state, that password reuse is a huge detriment to digital security. Using the same password for multiple accounts increases the likelihood of an important account falling victim to a determined attacker. More often than not, the fault may not even be yours – if a web database containing your password is breached, and you use that same password somewhere else, it’s all over.

Therein lies the danger of password reuse: it introduces additional vulnerabilities that are outside of your control. So long as passwords are still the primary gateway to sensitive, and valuable information, it is important to focus on creating strong and UNIQUE passwords for each account.

We’ve talked about it often, and one of my favorite researchers advocates for password strength over much else. Why? Because it is one of the basics that the majority of Internet users continue to get wrong.

Single Sign-On and Password Reuse

One of the many benefits of Single Sign-On is the ability to directly counteract many of the problems with password reuse. By eliminating the need for multiple passwords, users can concentrate on creating a single, secure password that holds up better against attack. From then on, authentication is managed by encrypted tokens which are much more difficult to crack.

How Single Sign-On can work is through Password Synchronization which takes the principles of SSO and consolidates the logins for multiple accounts into one, meaning the end-user only needs to leverage a single password. With this password, end-users can be led into a jump page which gives them access to all the applications that they need without any separate login. Once this sole password is put in place, IT Administrators can implement stronger password requirements and more frequent expirations of the password, thus increasing the security measures.

Identifying password complexity rules for all systems is critical to ensuring that this process will properly integrate into your system. After going through this process, the next step is to typically, change the password rules on one or more of your systems so that all systems then reach a common set that can be enforced by each.  Next, the typical response to this issue may be to change the password rules on one or more systems to reach a common set that can be enforced for each.

By enforcing a consistent set of password rules, which are always enforced when a password is changed or reset through it, allows user to just use one password. When new passwords are created this will allow users to enter just one password, and they will not run into issues due to conflicting password policies.

With little to no effort, users can improve their authentication security.  Would-be thieves no longer have a simple map to our most precious treasures. In the end, it's all about the basics.  Think smart and protect yourself from the dangers of password reuse.

The ideal solution for common login frustrations is a product that can create a single or federated authentication process to handle multiple local and cloud applications, while providing a centralized point of secure access. Implementing a SAML (Security Assertion Markup Language) SSO option with PortalGuard as the Identity Provider achieves the goal of eliminating password issues while providing more:

  • Reduce the number of passwords users are required to remember and manage.
  • Implement and enforce configurable password policies.
  • Reduce password-related Help Desk calls related to password and access issues, and many more.

Read more about the benefits of an SAML SSO option in our eBook here.

saml sso ebook banner

 

Christopher Perry

Author: Christopher Perry

Subscribe to the BIO-key blog!

Recent Posts