Updated April 10, 2023
There’s an old saying in the hacker community – Hackers don’t break in; they log in. Contrary to popular belief, cybercriminals, for the most part, aren’t sitting in dark basements trying to guess their next victim’s password. Why should they when we make it too easy for them? Aside from using weak, easy-to-guess passwords, people tend to use the same password for multiple online accounts. And that’s a big mistake. But what’s the danger, you ask? What’s the real reason you shouldn’t reuse passwords?
People know they shouldn’t use easy passwords like password, 123456 or qwerty. And they also know that they should never use the same password for more than one account. Yet they do. A Google/Harris Poll survey showed that well over half of people surveyed reuse the same password even though they know it poses a risk to their personal and corporate accounts. You also shouldn't let your browser store your passwords
We get it…people are afraid of forgetting their login information and they want to be in control of their accounts. One study showed that the average American has 27 online accounts. Another said it was closer to 100. Either way, that's a lot of accounts that have to be secured with unique, complex passwords. Remembering a handful of passwords is difficult. Remembering hundreds is impossible.
You’ve no doubt felt the aggravation that comes when you’ve forgotten the password for an account you’re trying to access. It’s frustrating. But not nearly as frustrating as it will be when your accounts get hijacked by criminals.
What is the real danger of reusing a password?
Data breaches and leaks happen. And often sensitive data, including usernames and passwords, wind up on the Dark Web. Password reuse can lead to what’s called credential stuffing attacks. That’s when a hacker takes leaked credentials for one account and uses those to gain access to a person’s other accounts. A credential-stuffing attack can make hundreds of attempts on dozens of websites in just a few minutes. If Susie in finance uses the same password for her Facebook account as she does for your company’s accounting software, you could have a huge nightmare on your hands if that password falls in the wrong hands.
Is the risk of losing money, your reputation or even your business worth letting your employees continue to use weak or recycled passwords?
How to Combat the Password Problem
Two words: password manager. The solution is a no-brainer. Password managers or vaults take all the hard work out of trying to come up with and remember unique, hard-to-hack passwords. With a password manager, you only need to remember one password to access the manager. From there, all your passwords are securely stored.
Our top recommendations for business-grade password vaults are:
Secret Server by Delinea. Secret Server is a web-based application ideal for organizations and their users. It allows for the storage of privileged credentials in a military-grade encrypted centralized vault and is simple to use with a copy/paste function. With Secret Server, administrators can use Role-Based Access Control which grants users access to only the information they need to do their jobs. Mary in marketing doesn’t need access to Susie's accounting software, so access control using folders can keep that information from spreading across an organization.
PasswordState by Click Studios. PasswordState is an on-premises, web-based solution for enterprise password management, where teams of people can access and share sensitive password resources. Role-based administration and end-to-end event auditing provide a secure platform for password storage and collaboration. Features such as 256bit AES data encryption, code obfuscation and enterprise scalability make it MIS’s enterprise password manager of choice.
Are Consumer-grade Password Managers Safe for Business?
The issue with consumer-grade password managers is that it takes control of a business’s password security out of the hands of the IT administrator and places it entirely on the end user. Security teams can’t enforce strong password policies, such as regular password resets and the use of required multi-factor authentication, which places the organization at risk of a cyber incident or compliance violation.
LastPass, a popular consumer password manager suffered not one, but two data breaches in 2022 that allowed a bad actor to gain access to unencrypted consumer data including names, email and billing addresses, phone numbers and IP addresses.
Many consumer-grade password managers offer a business product, but those do not compare well to either Secret Server or PasswordState. Therefore, we do not recommend using them for business.
If you’d like to learn more about how MIS Solutions can help keep your business secure, contact us today.