February 28, 2019

Secure password management Part 1 - There’s no excuse for password reuse, or is there?

Secure password management Part 1 -  There’s no excuse for password reuse, or is there?

Don’t reuse passwords. A simple advice, but very hard to accomplish for most people. This became also very clear in a survey Google did in partnership with Harris Poll. They questioned 3,000 adults (ages 16–50+) living in the U.S. to understand their beliefs and behaviors around online security.

Only 35% use unique passwords for every account. However in the same survey 69% think they are doing a good job to protect their online accounts.

The risks of password reuse

The results from the survey are worrying and prove that a lot of people don’t understand the risks associated with password reuse.

It’s very simple to understand though. Let’s suppose you use the password protecting your email account also for your amazon account. When one of these accounts gets hacked the password and email address can be (ab)used to gain access to the other.

I’m making abstraction here of 2FA, which would stop this kind of attacks, because:

  • Only a small fraction of people use it.
  • It’s not available for many online services.
  • Although there are exceptions, people that reuse passwords are not very likely to use 2FA
  • There are different ways to bypass 2FA and therefore it can never be an excuse for password reuse.

When you explain the average internet user what can go wrong when they reuse passwords, many think “It will not happen to me”. And this is where most of us get frustrated and just give up. But try to put you in their position for a moment.

Most people are simply not aware that several of their accounts are breached. That’s exactly why I show Have I Been Pwned in each awareness session. When the participants see that I’m in the LinkedIn and Dropbox data breach their penny starts to drop and they start checking their own exposure.

They now might be aware that their accounts are breached, but this still doesn’t mean that they realize at which scale and frequency their reused credentials are exploited by attackers.

This Microsoft research, published in 2016 gives some insights:

We see hackers testing leaked credentials against our systems at an average of 12M credential pairs every day.

Or real life stories like this about DailyMotion and Reddit, who became victim of credential stuffing attacks earlier this year.

But a unique password for my important accounts is sufficient, right?

I was particularly curious to learn more about the reason for password reuse. Is it a well thought decision or just the lack of decent password management practices? That’s why I launched a poll on Twitter.

The number of people reusing passwords is a bit lower than in Google’s survey. This difference is probably due to the fact that the majority of voters are Infosec people in my case.

But, to be honest I was more interested to learn why people reuse. It varies from (temporary) password reuse, because of not using the right tool…

to (temporary) password reuse because of sites screwing up…

Or password reuse for old accounts…

Or password reuse based on “risk of compromise” categorization…

I want to particularly address this last reply. I’ve read and heard many times that it’s fine to reuse passwords for what’s often referred to as “less important” or “low risk” accounts. The problem is that most people’s assessments are based on the wrong, or only a subset of, potential threats.

Whilst it’s true that accounts like email, social media and financial accounts are high value targets for attackers, also other — at first sight insignificant— accounts are valuable to attackers.

Most people only think about what can go wrong when criminals take over their accounts. That’s why they’ll consider their account for an online newspaper as low risk and judge that password reuse is quite harmless. After all “Who cares if an attacker can read a news article under my account?”

And indeed the fact that an attacker can read news articles is the least of your worries. Have a look at this registration form for an online newspaper. The personal data you enter here are only protected by the password you use.

These data are very valuable for attackers. They can be monetized or used in other attacks. Think about hacking of other accounts, phishing attacks, extortion,…

Some of these data, like your date of birth cannot be changed. So next time you decide to reuse a password keep in mind what you are protecting.

But If I use fake data it’s okay to reuse passwords right?

If you value your privacy and security, the best thing you can do is fake as much data as possible. For online services, like newspapers, for which you just need an account to be able to read news stories, you can even fake all data at registration.

Only if you can fake all data there’s not much harm in reusing passwords. But then again, if you belong to the minority of people who create fake accounts you should be equipped enough to use a unique password.

Conclusion

Be consistent in your advice and keep it simple. You really don’ t help people — that are already struggling to securely manage their passwords — by telling them that in some particular cases it might be acceptable to reuse passwords. Password reuse shouldn’t be encouraged. Tell them to use unique passwords for every account.

The reason why people reuse is because they have a lot of accounts and the human brain is limited when it comes to remembering different passwords. More info on how to manage this in a pragmatic way — taking into account that different users have different level of expertise and their own threat models — in an upcoming blog post.