I Can Reuse My Password, Right? No, and Here’s Why.

Passwords written down on sticky notes

A key element of a sound cybersecurity offense is implementing and enforcing sound password management practices.  One best practice is to not use the same handful of passwords across all of the websites and applications you use.

During the last several years, there have been several high-profile data breaches with companies based in the United States and other parts of the world. In each of these cases, vast amounts of personal data have been compromised and bartered and sold on the dark web by scrupulous actors.

In many cases, the stolen personal information includes the usernames, passwords, and answers to security questions for millions of users worldwide. In the wrong hands, this data can lead to your accounts on the Internet being compromised and, in some cases, causing financial harm and losses to you and your business.

Password Management.  It’s important.

It goes without saying that when it comes to cybersecurity, a good defense is a good offense. You can take several steps to ensure that your cybersecurity hygiene is the best it can be. One area of focus when it comes to cybersecurity best practices is password management.

We all loathe the fact that everything we use today on the Internet has a username and password.  Each site has its particular requirements for each. Some let you create a username, and some use your email address. With passwords, there are all sorts of varying rules for passwords from length to complexity. Another popular requirement is to enforce password age, where a site requires you to change your password after a certain amount of time.

The area of concern that we frequently discuss with clients is that different passwords should be used across the websites you use. Utilizing different passwords reduces one’s risk and exposure to your username and password being used against multiple sites in the event of a data breach. A 2018 study by University of Virginia researchers concluded that 52% of people used the same password with more than one site. The sample included 28 million users and their 61 million associated passwords.

Once your personal information has been compromised and stolen, cybercriminals can utilize technology to use those stolen credentials. Typical targets are bank accounts, brokerage accounts, 401k accounts, utility accounts, and social media websites to take your personal information.

How is my personal info used?

In many cases, this data is also used to conduct social engineering, often used in a subsequent attack known as a spear-phishing attack. These attacks use recent data and events to try and gain additional information or access to funds or confidential records. The attack is usually conducted over email and can, and usually does, catch people off guard.

A best practice is to use a different password for every site that you visit, and that password should be complex. Complexity best practices suggest a password with at least 12 characters and a combination of letters, numbers, and symbols (if the site supports the use of symbols in passwords).

It would be best if you did not write your passwords down or keep them in a notepad document on your desktop, as that is not a best practice as well. In most cases, we recommend the use of a password management solution, such as LastPass.

Whichever password management solution you choose to use, you want to ensure that the solution encrypts your passwords are at rest. Also, ensure that the decryption key, typically your master password, is not stored on the provider’s server.

In a business setting, we recommend refraining from using a popular feature in web browsers to store passwords. We make this recommendation because if there is an intrusion or other nefarious behavior, those passwords are easily accessible. In many cases, the password is cached, so no password is required to access them.  Keep in mind that password caching is convenient for you and a potential hacker.

Good cybersecurity hygiene requires the implementation of sound security principles. These principles include sound password management, utilizing multi-factor authentication technology, and limiting the use of the same password across multiple sites.

Eliminating cyber intrusions is becoming increasingly complex. These security principles and recommendations will go a long way to mitigating the risk and exposure you could face if you are the victim of a data breach now or in the future.

Do you know if your data has been exposed? Check out Have I Been Pwned to find out?