Password Reuse Attacks - Constant Security Concern


Thought Leadership

Password Reuse Attacks - Constant Security Concern

Jim Nitterauer


Every so often another data breach makes the headlines. Some big name company discloses the loss of user data including credentials. Here is a list of the major breaches that have occurred in 2017. Within days if not hours, that data becomes available for purchase on the dark web and eventually on the open web for anyone to download. Over time, security analysts reviewing this data overwhelmingly draw one conclusion from the data - users love to use insecure passwords and reuse those same passwords across multiple accounts.

So how do these analysts come to this conclusion? By simply correlating usernames across services and comparing passwords. Remember, usernames are typically an email address, first initial and last name or some other easy to guess or infer combination. A username in itself is nothing more than an identifier and has no inherent security. The password component of a login is the security component of a typical login.

All username / password combinations are a form of Type I authentication (AKA something you know) and are the least secure method of authentication. Many providers now offer a second layer of authentication based upon Type II authentication (AKA something you have). This is typically the delivery of a unique code to a device that you possess like a cell phone or tablet.

When this is combined with the existing login authentication, the result is called "Two Factor Authentication" or "2FA." This type of authentication dramatically reduces the likelihood that some else can log in using your Type I credentials without your knowledge.

Unfortunately, many users don't enable 2FA for sites that support it. The other common habit is password reuse - using the same password for more than one site or service. The danger comes from breach data dumps that get posted publicly. All that is necessary then is for a malicious actor to try that username / password combination on other high value sites - an attack called a Password Reuse Attack. If the password has been re-used by the user across more than one site, the result could range from a minor inconvenience to devastating.


So how does one reduce risk while maintaining convenience for the end user? Here are a few action items:

Enable Two Factor Authentication (2FA) for all applications that support it Use a password manager to manage logins across applications like LastPass Intel True Key Dashlane RoboForm KeePass (Local vault) Consider adding 2FA using something like Duo to all your applications. Require users use a password generator along with a password manager Force users to change passwords immediately when a breach or compromise is reported Set a policy for minimum password requirements (Length, complexity, etc) Require that users NOT reuse passwords. This is hard to enforce but make the policy anyway

Users will complain initially but once they learn new habits, your risk profile will be lower and you will rest easier. I personally don't believe that resetting passwords on a regular basis has any redeeming value if your initial passwords are sufficiently complex and passwords are not reused. When users do change passwords on a regular basis, they usually make a minor change to their existing password and end up with a  bunch of similar passwords across accounts.  Users are also forced to re-authorize any account that changes on connected devices. Password managers and 2FA virtually eliminate this behavior. The better approach is to change passwords only when a compromise is suspected.


The key to successful security is ongoing user awareness training along with providing the tools and procedures that make it easier for users to implement security.

If your users suspect they have been compromised, they can check using the site Have I Been Pwned. This site is maintained by Troy Hunt, a Microsoft Regional Director. Users simply enter their email address and get a list of sites that include their username. If they get any hits, the results will indicate whether or not password data was included. If they find a password compromise, they should reset their password at ALL SITES where that password was used. Then they should change it to something different at every site. Stay secure out there!