Have you ever been tempted to use the same credentials for various logins? What danger underlies this practice?
John, a student worker, often spared time for his coursework after executing his assigned roles at work, but on one Friday morning, there was such a huge pile of work that he could not beat the submission deadline for his school assignment, and the immediate resort at that time happened to be getting in touch with a coursemate to log on to the student portal and submit work on his behalf. For quite a long time, John had the same password for school and work affairs, mainly for ease of remembrance. Hardly had the friend opened his email than the friend unsuspectedly received a phishing email prompting an account verification. On following the verification link, the friend entered John’s email password which was successfully harvested by the attacker, and without notifying John of the event, the friend proceeded to submit coursework. A couple of days later, John perplexedly received calls from clients inquiring about invoices that he emailed them, yet in truth, the emails were sent by the hacker who obtained the password that John as well used for his work email.
Users today have so many logins and passwords to remember that it’s inviting to reuse credentials here and there to make life a little easier. Even though security best practices universally recommend that you have unique passwords for all your applications and websites, many people still reuse their passwords — a fact that attackers rely on. This can cause major security issues when those credentials are compromised because if an attacker is able to obtain valid credentials on one target, they can try those credentials on other targets to further compromise the system or network.
Worse still, there is credential stuffing, a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Credential stuffing is dangerous to both consumers and enterprises due to the adverse effects of these breaches and it is one of the most common techniques used to take-over user accounts.
Moving forward, what can you do to eliminate this lethal loophole in the strive to strengthen the security posture of your organization?
- Have unique passwords for all your web-based applications including email hosts, social media platforms, and work-related websites.
- Do not share your password with colleagues, and if it is inevitably required, change the password with immediate effect after use.
- Make use of two-factor authentication mechanisms to limit the chances of authenticating fake login requests.