Imagine using the same key for your home, car, and office. It might be convenient, but what if the key were lost or stolen? The danger would be obvious.
Yet a 2019 Google study found that 52 percent of people use the same password across multiple accounts, putting convenience before safety. Even just one password falling into the wrong hands can lead to disaster for your organization. If a password works with multiple systems, the danger is multiplied.
To protect your organization against the risks that stem from password reuse:
-
Define your password policy: Everyone in your organization must use strong, unique passwords that they never reuse or share.
-
Use a password manager tool: Encourage everyone to generate and store strong, unique passwords using a secure system.
-
Enable multi-factor authentication (MFA): Enabling MFA on your systems and accounts adds an extra layer of security that helps prevent unauthorized access. However, it’s not impregnable. For greater protection, use measures such as hardware security keys or biometric authentication.
-
Provide security awareness training: Ensure everyone, across teams and at all levels, understands the risks of password reuse and how to follow best practices.
-
Use a credential monitoring solution: Solutions such as Cybercheck alert you immediately if a password has fallen into the wrong hands, so you can update it and diffuse the danger. They can also help you spot the reuse of similar or identical passwords in your organization.
Why password reuse is dangerous
Passwords can fall into the wrong hands in various ways. For example:
-
Phishing and pretexting, where attackers send bogus messages to trick people into giving their passwords away. These techniques lead to 73 percent of data breaches (source: Verizon 2024 Data Breach Investigations Report).
-
Infostealer malware, which silently harvests the passwords saved on your device. Immune to conventional anti-virus tools, infostealers are infecting millions of devices and stealing data on a vast scale.
-
Dark Web marketplaces, where stolen passwords are bought and sold.
Data breaches at third-party websites are a further danger. For example, suppose a colleague creates an online shopping account with the same password as their work email. If hackers breach the online store, they obtain a password to access your organization’s systems.
Hackers try stolen passwords with multiple systems and accounts. This is called credential stuffing. The more accounts use the same password, the greater the danger.
If a stolen password doesn’t work, the hackers try variants of it. This is why password strength matters – the more complex a password is, the harder it is to find a working variant. It’s also why password updates must always be completely new.
Notorious incidents illustrate what can happen next:
-
Sony Pictures, 2014: Sony employees were reusing their Apple passwords for their work accounts. Hackers used phishing to steal their Apple passwords. Then they broke into the Sony Pictures network, deployed malware, and stole unreleased movies.
-
Mark Zuckerberg’s social media, 2016: Hackers broke into Zuckerberg’s Twitter and Pinterest accounts, aided by his reuse of the weak password dadada. The attack originated from a massive leak of LinkedIn credentials four years earlier.
-
Zola, 2022: Hackers used credential stuffing to break into 3,000 accounts on the wedding planning platform Zola and steal money and gift cards.
Credential monitoring gives you vital protection
Most organizations don’t know their passwords have been exposed until hackers strike. That’s why credential monitoring is vital for an effective cybersecurity strategy.
A credential monitoring solution, such as Cybercheck, gives you real-time visibility of compromised passwords and credentials. If cybercriminals are trading information about you or your organization, we see it right away and warn you immediately. That means you can change your passwords, block your cards, and shut out the Cybercriminals before they attack.
You can also monitor your organization for duplicate passwords and suspicious activity. Cybercheck’s dashboard shows your data security at a glance, including your overall safety level and specific areas where you need to act.
