Credential Reuse: A recipe for attack

Have you ever been tempted to use the same credentials for various logins? What danger underlies this practice?

John, a student worker, often spared time for his coursework after executing his assigned roles at work, but on one Friday morning, there was such a huge pile of work that he could not beat the submission deadline for his school assignment, and the immediate resort at that time happened to be getting in touch with a coursemate to log on to the student portal and submit work on his behalf. For quite a long time, John had the same password for school and work affairs, mainly for ease of remembrance. Hardly had the friend opened his email than the friend unsuspectedly received a phishing email prompting an account verification. On following the verification link, the friend entered John’s email password which was successfully harvested by the attacker, and without notifying John of the event, the friend proceeded to submit coursework. A couple of days later, John perplexedly received calls from clients inquiring about invoices that he emailed them, yet in truth, the emails were sent by the hacker who obtained the password that John as well used for his work email.

Users today have so many logins and passwords to remember that it’s inviting to reuse credentials here and there to make life a little easier. Even though security best practices universally recommend that you have unique passwords for all your applications and websites, many people still reuse their passwords — a fact that attackers rely on. This can cause major security issues when those credentials are compromised because if an attacker is able to obtain valid credentials on one target, they can try those credentials on other targets to further compromise the system or network.

Worse still, there is credential stuffing, a type of cyberattack where stolen account credentials typically consisting of lists of usernames and/or email addresses and the corresponding passwords (often from a data breach) are used to gain unauthorized access to user accounts through large-scale automated login requests directed against a web application. Credential stuffing is dangerous to both consumers and enterprises due to the adverse effects of these breaches and it is one of the most common techniques used to take-over user accounts.

Moving forward, what can you do to eliminate this lethal loophole in the strive to strengthen the security posture of your organization?

  1. Have unique passwords for all your web-based applications including email hosts, social media platforms, and work-related websites.
  2. Do not share your password with colleagues, and if it is inevitably required, change the password with immediate effect after use.
  3. Make use of two-factor authentication mechanisms to limit the chances of authenticating fake login requests.


Share this



Related Articles

The power of repetition: How to make a billion dollars!

Once upon a time, there lived a man called Earl Dennison Woods (March 5, 1932 – May 3, 2006). Earl Woods joined the American

Is your strategy a research paper? What is the strategy in your strategic plan?

You have probably seen a large volume document labeled “strategic plan.” These documents contain a lot of analysis and little strategy. Too much detail

Why do good staff commit fraud?

The 2014 Report To The Nations (RTTN) by the Association of Certified Fraud Examiners (ACFE) has revealed that “The vast majority of occupational fraudsters

The importance of diversity and inclusion in the boardroom

Diversity and inclusion are the secrets to board effectiveness. Farming and a farmer’s garden provide an apt metaphor for understanding the importance of diversity

About Author